If you performed an installation of Ubuntu 22.04 or Ubuntu 20.04 from from a CD ISO image, the OpenSSH server and client packages are installed alongside OS base installation. You need to manually install and configure OpenSSH server to enable remote logins through ssh client. OpenBSD Secure Shell, commonly known as OpenSSH is a set of applications that provides encrypted communication sessions over Secure Shell (SSH) protocol. It is a standard way of accessing both Linux and Unix servers remotely over the internet.
In this article we will discuss the installation and configuration of SSH Server on Ubuntu 22.04|20.04 Linux machine. The article can be used for Desktop or Server editions of Ubuntu OS. In most cloud instances, OpenSSH server is installed and configured to start at system boot. We have a dedicated article on how to install the latest Ubuntu OS 22.04, in case you’re interested.
Once the OS is installed, login as root or standard user with sudo privileges and continue to configure OpenSSH server on Ubuntu 22.04 / Ubuntu 20.04 Linux system.
Step 1) Install OpenSSH Server packages on Ubuntu 22.04|20.04
We shall start with OpenSSH server installation process onUbuntu 22.04|20.04. But first, update OS package list as configured in sources repositories:
$ sudo apt update
Get:1 http://security.ubuntu.com/ubuntu jammy-security InRelease [90.7 kB]
Hit:2 http://ke.archive.ubuntu.com/ubuntu jammy InRelease
Get:3 http://ke.archive.ubuntu.com/ubuntu jammy-updates InRelease [90.7 kB]
Get:4 http://ke.archive.ubuntu.com/ubuntu jammy-backports InRelease [90.7 kB]
Fetched 272 kB in 2s (163 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
45 packages can be upgraded. Run 'apt list --upgradable' to see them.
Thereafter, install OpenSSH Server packages on Ubuntu 22.04|20.04 using the commands below:
$ sudo apt install openssh-server
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
openssh-sftp-server runit-helper
Suggested packages:
molly-guard monkeysphere ssh-askpass ufw
The following NEW packages will be installed:
openssh-server openssh-sftp-server runit-helper
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 446 kB of archives.
After this operation, 1,765 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
After the installation of OpenSSH server, start ssh service:
sudo systemctl start ssh
It is recommended to enable the service to start with the OS. This will ensure you’re not logged out of the system it the system is rebooted.
$ sudo systemctl enable ssh
Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ssh
The command below will show the status of the service. If everything went as expected it should be in running state..
$ systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-11-11 12:12:16 EAT; 1h 47min ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 657 (sshd)
Tasks: 1 (limit: 9482)
Memory: 6.1M
CPU: 84ms
CGroup: /system.slice/ssh.service
└─657 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
Nov 11 12:12:16 ubuntu22 systemd[1]: Starting OpenBSD Secure Shell server...
Nov 11 12:12:16 ubuntu22 sshd[657]: Server listening on 0.0.0.0 port 22.
Nov 11 12:12:16 ubuntu22 sshd[657]: Server listening on :: port 22.
Nov 11 12:12:16 ubuntu22 systemd[1]: Started OpenBSD Secure Shell server.
The OpenSSH server configuration file is /etc/ssh/sshd_config. The file contains keyword-argument pairs, one per line. All the lines starting with #
and empty lines are interpreted as comments.
Step 2) Copy your SSH Public key from Workstation to Ubuntu system
Before you can disable password authentication for SSH, you need to copy SSH public keys from workstation to the server or remote Ubuntu Desktop machine.
Generate SSH keys if you don’t have them already on your Workstation OS – the command provided works for Linux and macOS:
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/neveropen/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/neveropen/.ssh/id_rsa
Your public key has been saved in /home/neveropen/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:OYXlyX/3nXMdSz581TDOnl78PPXAv31h03GI39bu9x8 neveropen@myarch
The key's randomart image is:
+---[RSA 3072]----+
| . |
| = . |
| . = .o. |
| o ..o.+o|
| S .o++O|
| . oBB#|
| +E&|
| . +#|
| .o#|
+----[SHA256]-----+
Get the private or Private IP address of the remote Ubuntu system:
$ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:13:e7:d6 brd ff:ff:ff:ff:ff:ff
inet 192.168.200.46/24 brd 192.168.200.255 scope global dynamic noprefixroute enp1s0
valid_lft 3519sec preferred_lft 3519sec
inet6 fe80::bfeb:53e3:8760:78ee/64 scope link noprefixroute
valid_lft forever preferred_lft forever
My Ubuntu 22.04 Server IP address is192.168.200.46. Ping the IP address to confirm network connectivity from your workstation machine:
$ ping -c 3 192.168.200.46
PING 192.168.200.46 (192.168.200.46): 56 data bytes
64 bytes from 192.168.200.46: icmp_seq=0 ttl=63 time=188.575 ms
64 bytes from 192.168.200.46: icmp_seq=1 ttl=63 time=181.137 ms
64 bytes from 192.168.200.46: icmp_seq=2 ttl=63 time=192.178 ms
--- 192.168.200.46 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 181.137/187.297/192.178/4.597 ms
After confirming you can access remote Ubuntu server from your Workstation, copy SSH public key:
$ ssh-copy-id ubuntu@192.168.200.46
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Warning: Permanently added '192.168.200.46' (ECDSA) to the list of known hosts.
[email protected]'s password: <INPUT-LOGIN-USER-PASSWORD>
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
Where:
- ubuntu is the remote user account
- 192.168.200.46 is the IP address of remote Ubuntu system
Test SSH connectivity to remote Ubuntu system after copying SSH Pubkey. You should not be prompted for User Password, but maybe SSH private key keyphrase if it was set.
$ ssh [email protected]
Warning: Permanently added '192.168.200.46' (ECDSA) to the list of known hosts.
Enter passphrase for key '/Users/jmutai/.ssh/id_rsa':
Welcome to Ubuntu Jammy Jellyfish (development branch) (GNU/Linux 5.13.0-19-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
45 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Thu Nov 11 13:55:16 2021 from 192.168.200.1
Step 3) Disabling remote SSH for root user (Optional)
To get improved security in your remote Ubuntu system, consider disabling root user ssh login.
On remote Ubuntu system, edit SSH server configuration file and set parameter to disable root access through ssh:
$ sudo vim /etc/ssh/sshd_config
PermitRootLogin no
There is also an option of allowing root user authenticate with any other allowed mechanism that is not password or keyboardinteractive. For this set like below:
PermitRootLogin prohibit-password
With above configurations, we’ll be able to login as root user with SSH private key. Only that SSH public key should have been copied to the system before SSH server service is restarted:
$ ssh-copy-id root@192.168.200.46
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/jmutai/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Warning: Permanently added '92.168.200.46' (ECDSA) to the list of known hosts.
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
Restart SSH service to apply new configurations in the file.
sudo systemctl restart ssh
systemctl status ssh
Step 4) Disabling SSH Password Authentication (Optional)
Password authentication on SSH can be disabled completely. The only way to login over SSH will be with the use of SSH keys.
Set PasswordAuthentication keyword to no to disallow password authentication for all users:
$ sudo vim /etc/ssh/sshd_config
PasswordAuthentication no
Restart SSH service for the new change to take effect.
sudo systemctl restart ssh
SSH authentication without a public key will definitely fail.
$ ssh ubuntu@192.168.200.46
[email protected]: Permission denied (publickey).
When SSH Public key is not in the default ~/.ssh/id_rsa
, use -i to pass manual path for the identity:
$ ssh ubuntu@192.168.200.46 -i /path/to/privkey
Conclusion
In Conclusion, OpenSSH server has been installed and configured successfully on Ubuntu 22.04/20.04 Linux machine. We dived further to extra configurations such as disabling root user login and password ssh authentication. In our future guides we shall cover more topics relating to OpenSSH. Stay connected for updates!.
More useful guides on SSH.
- Managing SSH Connections on Linux/Unix Using SSH Config file
- SSH Mastery – Best Book to Master OpenSSH, PuTTY, Tunnels