Secure Shell (SSH) is a cryptographic network protocol used to securely access, manage and transfer data between remote Linux/Unix based systems and servers. Developed as a more secure alternative to earlier unencrypted protocols like Telnet and FTP, SSH uses cryptographic techniques to ensure all communication to and from a remote server happens in an encrypted manner, preventing confidential data from being stolen or compromised in transit.
OpenSSH is the free and open source implementation of the SSH protocol suite, providing encryption for services like remote logins, command execution, and secure file transfers.
This step-by-step guide will take you through installing and configuring an OpenSSH server on Ubuntu 20.04.
Introduction to SSH
SSH consists of two key components:
- SSH daemon (sshd) – This server component listens on port 22 (by default) for incoming connection requests, managing logins and encryption keys, and spawning shell sessions for authorized clients.
- SSH clients (ssh) – Client components allow a user to connect to SSH servers and access remote shell sessions. Popular SSH clients include the ssh command, as well as GUI tools like PuTTY.
SSH utilizes public key cryptography to authenticate clients and encrypt data flowing between the SSH server and clients. This is generally more secure than relying solely on password authentication, which is prone to brute force login guessing.
Some key capabilities provided by SSH include:
- Strong encryption of all traffic, preventing packet sniffing or man-in-the-middle attacks.
- Tunneling other protocols through an encrypted SSH channel using port forwarding.
- Automated transfer of files between client and server machines via SFTP.
- X11 forwarding – securely using graphical remote applications.
OpenSSH is the default SSH implementation included in Ubuntu and Debian based Linux distributions. Alternative SSH solutions also exist, like Dropbear SSH which is more lightweight but supports fewer encryption types.
Prerequisites
Before installing and setting up OpenSSH server, some prerequisites must be met:
- You must have an Ubuntu Server 20.04 LTS system with a non-root user account that has
sudo
privileges to run commands as a superuser when required. - Your package repository sources must be up to date so the latest OpenSSH packages can install. Run
sudo apt update
to refresh your apt package index. - You must have the Universe repository enabled, as OpenSSH server is installed from there. Check it is present in
/etc/apt/sources.list
.
Step 1 – Install OpenSSH Server and Client Packages
With the prerequisites met, you can now install the OpenSSH server daemon package (openssh-server
) as well as the OpenSSH client package (openssh-client
) using the apt package manager:
sudo apt install openssh-server openssh-client
When prompted, enter Y to confirm installation and additional disk space usage. Ubuntu 20.04 includes OpenSSH 7.2p2 or newer by default through these packages.
To verify which version you have installed:
ssh -V # OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
Be sure to apply any security updates to OpenSSH releases promptly:
sudo apt update sudo apt upgrade
Step 2 – Check SSH Service Status
With OpenSSH installed, the sshd service should start automatically. Verify it is running with:
sudo systemctl status ssh ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset:> Active: active (running) since Fri 2020-04-20 22:22:23 UTC; 35s ago
If sshd is not running for some reason, you can start it manually:
sudo systemctl start ssh
Additional operations like restarting, stopping or reloading sshd configuration can be done via more systemctl commands.
Step 3 – Open Firewall for SSH Traffic
With Ubuntu‘s default firewall UFW, incoming connections to sshd are blocked by default for security.
You need to explicitly allow SSH traffic inbound:
sudo ufw allow ssh
This opens TCP port 22 that sshd listens on so clients can connect.
Verify this with:
sudo ufw status Status: activeTo Action From
22 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
Step 4 (Optional) – Additional Security Hardening
While the above provides a base level SSH setup, additional hardening should be considered for production environments facing the public internet:
A. Disable Password Authentication
Requiring public key authentication instead of password logins reduces brute force risk.
Edit /etc/ssh/sshd_config
and set:
PasswordAuthentication no PubkeyAuthentication yes
Keys can be generated easily and distributed ahead of time to any clients.
B. Change the Listening Port
Changing from port 22 to a non-standard one reduces scans and scripted attacks attempting to target the standard SSH port.
For example using port 22222 instead:
Port 22222
C. Use VPN Encapsulation
Tunneling SSH within an encrypted VPN connection enhances privacy and security, obscuring the SSH server from public sight.
D. Limit Connecting Users/Groups
Restrict which system users or groups can log in via SSH by user/group name or by IP address ranges:
AllowUsers user1@192.168.1.* AllowGroups sshlogin
There are many more advanced sshd configuration options, see man sshd_config
for details.
Applying additional monitoring, intrusion detection, VPN encapsulation and routine vulnerability testing also helps secure production SSH environments.
Step 5 – Configure SSH Client
To connect clients to your newly setup SSH server, a range of SSH client software is available including:
- OpenSSH
ssh
command line client - PuTTY, KiTTY
- Linux desktop GUI clients like GNOME Terminals
- Mobile device SSH apps
Additional client configuration may be required depending on your network environment and routes to the server:
A. HTTP/SOCKS Proxy
If required to route connections via a proxy server:
ssh -o ProxyCommand="connect -S 192.0.2.1:1080 %h %p" user@host
B. Local Port Forwarding
Forward a local port to a remote service via an SSH session:
ssh -L 9000:email.host:143 user@gateway
C. ControlMaster Socket Multiplexing
Reuse an existing SSH connection for new parallel sessions instead of spawning additional separate SSH channels. This speeds up certain workloads.
ssh -M -S /tmp/socket-tunnel user@10.1.1.10
There are many more ssh client options available for specific use cases.
Conclusion
Installing and configuring OpenSSH server on Ubuntu 20.04 allows for securely accessing the remote server, tunneling traffic or transferring files through encrypted channels.
Consider additional hardening, monitoring, and testing procedures for production SSH server deployments. Keeping OpenSSH updated and properly managing keys and privileges is imperative for security.
There are also many useful ssh client configuration options for further optimizing secure remote access.