As system admins who run websites on Liquid Web servers know well, with the rapid evolution of the internet and the increasing complexity of modern networks, the demand for robust protocols for secure data exchange has intensified considerably. Based on the Secure Shell (SSH) protocol, OpenSSH emerges as a powerful suite of networking tools designed to establish secure connections to remote end systems and network devices.

In this article, we explore the implementation of OpenSSH and its essential components, including key management and configuration files. You will learn how to install OpenSSH on Linux and then how to configure it to streamline SSH connections while increasing system security.

Explore Linux VPS plans

The important takeaways found in this help article

The reader will walk away with a better understanding of the following subjects after reading this piece of OpenSSH help documentation:

The definition of OpenSSH
Understanding the three components of OpenSSH
How to install of OpenSSH on Linux
Connecting to a server using OpenSSH
Taking advantage of OpenSSH key management
Streamlining SSH connections with a local configuration file
Five ways to secure OpenSSH on Linux

What is OpenSSH?

OpenSSH represents an implementation of the SSH protocol (Secure Shell) that includes several networking utilities that ensure secure data transfer for managing remote systems. First introduced in 1999, OpenSSH is developed as part of the OpenBSD operating system and is released under the BSD license.

The critical role of OpenSSH is underscored by its ability to safeguard sensitive information transmitted through public networks. Utilizing strong authentication policies and data encryption, OpenSSH ensures confidentiality and data integrity for effective system administration.

The install of OpenSSH on Linux is considered a standard for providing remote access to servers and network devices, especially in the Linux community. However, you can also install OpenSSH on Windows. This article with focus on the steps related to an install of OpenSSH on Linux.

About the 3 key components of OpenSSH

OpenSSH incorporates several vital components that provide essential functionality for secure data exchange over unprotected networks. The three essential components of OpenSSH include the SSH client and SSH server daemon, OpenSSH key management, and secure file transfer tools such as SCP and SFTP.

1. OpenSSH client and OpenSSH server daemon

The OpenSSH client and server daemon are the two most critical components of OpenSSH that enable its client-server architecture for secure remote access.

OpenSSH server daemon is an application that runs in the background on a remote system and accepts requests for secure connections over the SSH protocol. OpenSSH client, in turn, is an application installed on a local system such as a laptop, workstation, or another server that can connect to an SSH server and issue commands on a remote system.

Running in the background, OpenSSH server daemon, or sshd, listens for incoming requests on a specified port. By default, port 22 is reserved for SSH connections. OpenSSH server daemon uses the configuration values from the sshd_config file to define various settings for the SSH server, including authentication methods, access controls, and connection parameters.

The OpenSSH client specifies the client side of SSH connections and is supported by all major operating systems, including macOS, Windows, and Linux distributions. It uses the ssh_config configuration file to streamline SSH connections for remote systems.

2. OpenSSH key management suite

While OpenSSH supports password-based authentication, it offers public key authentication as a more secure and convenient method. Using a pair of cryptographic SSH keys, a private key and a public key, no passwords are ever transmitted when establishing an SSH connection to a remote system.

One of OpenSSH’s most important aspects is its product suite, which includes ssh-keygen, ssh-agent, and ssh-add as its three essential components. Taking advantage of one of the available digital signature algorithms, ssh-keygen allows you to generate and manage cryptographic keys that enhance the security of SSH connections through key-based authentication.

The ssh-agent process is initiated at the beginning of a login session. The process runs in the background and accepts SSH keys from ssh-add. The ssh-add and ssh-agent tools simplify key-based authentication by prompting the user for the key passphrase and storing the unlocked key in memory. Once a key is unlocked with the passphrase you entered, you will not need to supply it again to make additional SSH connections.

3. SSH-based file transfer tools

The Secure File Transfer Protocol (SFTP) and Secure Copy Protocol (SCP) utilities are the primary tools for secure file transfer over SSH. As part of the OpenSSH suite, SFTP is typically included in the openssh-server Linux package, while SCP is available through the scp command-line utility.

SFTP provides a wider set of features, including file management, such as directory listing and resuming interrupted transfers, making it ideal for comprehensive file administration on remote systems. SCP, on the other hand, offers a simpler, more straightforward approach for copying files between systems, providing efficiency for quick file transfers.

Installing OpenSSH on Linux

To install and configure OpenSSH on Linux, you must ensure both the openssh-client and openssh-server packages are set up on your server. The openssh-client package provides the necessary tools for connecting to remote systems, while the openssh-server package enables your Linux system to accept incoming SSH connections.

Step #1. Check if OpenSSH is installed on your Linux server

OpenSSH is a free and open source software suite available through the standard repositories of Linux distributions. Typically, the free OpenSSH openssh-client and openssh-server packages are installed on a Linux server upon the initial operating system setup. You can verify whether the OpenSSH client and OpenSSH server are installed on your Linux server by using the which command, as shown below:

$ which ssh
/usr/bin/ssh

$ which sshd
/usr/sbin/sshd

If ssh and sshd are missing, follow the instructions below to install OpenSSH Linux packages.

Step #2. Install OpenSSH on Linux

To install OpenSSH Linux client and server components, use your Linux distribution’s package manager to download and configure the openssh-client and openssh-server packages. Use the following commands to configure OpenSSH on Red Hat-based Linux operating systems, including AlmaLinux and Rocky Linux:

$ dnf install openssh-client
$ dnf install openssh-server

Step #3. Verify that OpenSSH server is listening for SSH connections

By default, the openssh-server package is automatically started and enabled to start on boot once installed. With the OpenSSH server running in the background, your server will now be listening for incoming SSH connections on port 22. The ss (socket statistics) command will display a list of sshd processes running on your Linux server, along with the process ID, network interface, and port number.

$ ss -tulpn | grep ssh

If — for some reason — no processes are shown, check if the sshd daemon is running using the systemctl status sshd command.

Connecting to a server using OpenSSH

To connect to a remote server via OpenSSH, simply execute the ssh command followed by the name or IP address of the server you would like to connect to.

By default, the ssh command will take the username you’re currently logged in with for the SSH connection. If you would like to use a different username, such as root, specify it with the ssh command by including the username followed by the @ symbol just before the IP address or hostname of the target remote system.

The SSH command also assumes the OpenSSH server on the remote system is listening on port 22. You can use a different port by employing the -p option followed by a port number:

$ ssh root@192.168.1.5 -p 2022

Once you’re finished with your SSH session, type exit at the shell prompt or press the Ctrl + D keys on your keyboard. When you terminate an OpenSSH connection, any processes associated with it that you may have had running will be killed. Be sure to finish working with them before you close your connection or use a screen session.

Taking advantage of OpenSSH key management

OpenSSH key management suite allows you to leverage public key authentication by setting up and using SSH keys. Here are three of the primary ways you can do that.

1. Generating private and public OpenSSH keys

Use the ssh-keygen command to configure OpenSSH key and generate a new key pair. You can execute the command without any arguments, in which case the new key pair will be saved in your /home//.ssh directory. You will see a public key named id_rsa.pub and a private key id_rsa. You can specify the directory to store the new key pair and the name of the new keys by using the -f flag.

You will then be prompted for a passphrase. Although using a passphrase introduces an additional step to the authentication process, it dramatically enhances security. Furthermore, you can change the passphrase at a later time if the need arises.

By default, ssh-keygen will generate a 3072-bit RSA key. You can specify the format and size of the key using the -t and -b arguments, respectively. The standard 3072-bit key meets all compliance and security standards; however, you can increase its size for enhanced security or even use a different algorithm, such as Ed25519. The command shown below will generate a 4096-bit RSA key named myserver_key in the user’s .ssh directory.

ssh-keygen -t rsa -b 4096 -f ~/.ssh/myserver_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/<user>/.ssh/myserver_key
Your public key has been saved in /home/<user>/.ssh/myserver_key.pub

2. Copying and transmitting your public key to a remote server

To be able to log into a remote system with the newly created key, you will need to first copy the public key to the OpenSSH server. Then, you can use the OpenSSH ssh-copy-id command to transmit your public key to the remote system. Replace the IP address below with the IP address of the target server and specify the user for whom you would like to upload the key:

ssh-copy-id -i ~/.ssh/myserver_key.pub <user>@192.168.1.5

You will be asked to log in using the user’s password first, and then your public key will be copied over. The contents of ~/.ssh/myserver_key.pub on your local computer or a server you will be connecting from are copied into the /home//.ssh/authorized_keys file on the remote server. With each additional key you add (for example, if you plan to connect to that remote server from multiple machines), the new key is appended to the end of the authorized_keys file, one per line.

3. Changing the passphrase of an OpenSSH key

At some point, you may want to change the passphrase associated with your OpenSSH key pair. You can use the -p argument with the ssh-keygen command to achieve that. The same argument can also be used if you did not create a passphrase for your key when you initially generated the key pair:

$ ssh-keygen -p

Once you enter the ssh-keygen command with the -p flag, you will be asked to provide the path to your private key. You can press the Enter button to accept the default file (id_rsa) unless the private key you would like to alter is saved under a different name and located in a different directory. You will be asked for your current passphrase (if one id already configured for the key) followed by your new passphrase twice.

Streamlining SSH connections with a local configuration file

You can significantly simplify connecting to remote servers via SSH by using a local OpenSSH configuration file. This file lets you to define shortcuts and set preferences for each SSH connection, streamlining the process and reducing the need to enter connection and authentication details repeatedly.

Similarly to the generated OpenSSH key pairs, the local OpenSSH client configuration file is stored in the .ssh folder inside the user’s home directory. The config file will not exist in the default install of OpenSSH on Linux, but once it’s created, OpenSSH will parse it whenever the client is used.

While you can place all connection and authentication details in the config file for all remote systems you will be connecting to, you can also create additional files and reference them in the config file for OpenSSH to parse. Use the Include directive for this purpose.

The configuration block for each remote server or a group of servers will typically look like this:

Host myserver
        Hostname 192.168.1.5
        Port 2022
        User admin
        PreferredAuthentications publickey
        IdentityFile ~/.ssh/myserver_key

In the example above, the Hostname could be specified as the IP address of the remote server’s hostname. The User and Port directives specify the user account and port number used to connect to the server. IdentityFile references the private key used for authentication.

OpenSSH will automatically use the specified configuration values once you initiate an SSH connection to a remote server configured in the config file. You only need to supply the alias defined in the Host directive. The aliases of each server within the OpenSSH config file are arbitrary and don’t have to match the actual hostnames of the remote servers you are connecting to:

$ ssh myserver

In this example, with the configuration details for the SSH connection supplied in the config file, executing ssh myserver is equivalent to executing ssh admin@192.168.1.5 -p 2022. By default, you will connect as the user specified in the configuration file for this server. However, if you need to log in as a different user, specify that in the SSH command, just as you would with any other connection detail you might want to alter.

5 ways to secure OpenSSH on Linux

OpenSSH is an indispensable suite of tools for managing Linux servers remotely. However, the default implementation of an OpenSSH server is highly susceptible to cyberattacks. Without proper security mechanisms in place, such as strong authentication methods, updated protocols, and strict access control, attackers can exploit various vulnerabilities to expose sensitive information and execute malicious commands.

For example, with password authentication and root login enabled, and the OpenSSH server listening for connections on the default port 22, attackers can launch a brute force attack to gain unauthorized administrative access. Therefore, it is critical that the OpenSSH server is secured to reduce the attack surface.

Remember that the /etc/ssh/sshd_config file is used to configure the OpenSSH server on Linux. All security enhancements outlined in the next sections must be implemented by modifying configuration values in the /etc/ssh/sshd_config file, followed by reloading or restarting the sshd daemon to apply the new configuration changes. You will find the necessary command further down in this document.

1. Enforcing OpenSSH Protocol 2

All OpenSSH versions available in standard repositories of Linux distributions today default to using Protocol 2 as the protocol OpenSSH listens for. OpenSSH Protocol 2 is much more secure than OpenSSH Protocol 1. However, if you still have an older server in production, you may need to adjust the protocol version in the sshd_config file:

Protocol 2

2. Changing the default OpenSSH port

Changing the port number the OpenSSH server listens on, which defaults to port 22, can help secure your OpenSSH implementation tremendously. However, a persistent attacker would still be able to determine the port OpenSSH listens on by using port scanning software, so it’s important to implement other security mechanisms.

To change the port on which the OpenSSH server listens, change the port number from the default value of port 22 in the following line of the sshd_config file. Make sure no other applications listen on the new port specified. In this example, we are specifying port 2022:

Port 2022

3. Disabling password authentication

Disabling password-based authentication reduces the attack surface and increases your server security by a considerable margin. If you turn off password authentication for the OpenSSH server, you must use an SSH key pair to log into the system via SSH; make sure to upload your public key to the server before proceeding with this step.

Locate the following line containing the PasswordAuthentication setting in the sshd_config file and change it to no from the default yes.

PasswordAuthentication no

4. Defining a list of users and groups allowed to log in via SSH

By default, all users created on a Linux server are permitted to log in remotely via SSH. Attackers may use common usernames, such as admin, user, or a name of a known service like git, postgres, or redis, to try to gain unauthorized access to the server. This is why it is recommended to restrict the group of users who can log into the server via SSH.

The sshd_config file uses the AllowUsers and AllowGroups directives to specify the list of users or user groups allowed to open a remote SSH connection to the server. You can separate each user or group by a space. AllowUsers overrides AllowGroups, so if a user is added to the AllowedUsers list, you must add its primary group to the AllowGroups directive:

AllowUsers username1 username2
AllowGroups group1 group2 sshusers

To leverage the AllowGroups directive, you can create a special group, for example, sshusers, and define it as a supplementary group for the Linux users who require SSH access to the server. The commands below are used to create the new sshusers group and add a user named myadminuser to it:

$ groupadd sshusers
$ usermod -aG sshusers myadminuser

By default, the root user is locked and cannot make SSH connections on most Linux distributions. However, hosting providers usually allow root SSH logins on Linux servers for the sake of convenience.

You can disable root SSH logins for the root user entirely by setting PermitRootLogin to no or using the prohibit-password option to disable password authentication if you have password authentication enabled globally. It is recommended that an additional administrative user account be configured that can escalate to root upon login:

PermitRootLogin no
PermitRootLogin prohibit-password

Applying the SSH server configuration changes

Please note that in order to apply the changes to the SSH server configuration, you will need to restart or reload the sshd daemon. You can restart/reload sshd using the systemctl restart/reload sshd command:

$ systemctl restart/reload sshd

The /etc/ssh/sshd_config file is used to configure the OpenSSH server on Linux. Security changes made by modifying configuration values in the /etc/ssh/sshd_config file will be applied after the reloading or restarting the sshd daemon to apply the new configuration changes.

Manage your servers using OpenSSH with Liquid Web

OpenSSH offers a comprehensive, secure, and reliable remote server management and data transfer solution. By understanding its key components, such as the client application and server daemon, mastering OpenSSH configuration, and effectively leveraging OpenSSH key management, you can significantly enhance the security of your servers and streamline system administration.

Utilizing a local OpenSSH configuration file simplifies connection setups while securing the OpenSSH server with best practices and taking advantage of public key authentication fortifies defenses against unauthorized access. All these features make OpenSSH a crucial element in maintaining secure, efficient, and reliable server infrastructure. If you have any setup questions about how to install OpenSSH on Linux, our Liquid Web support agents would be happy to help complete the process.

Elevate your hosting experience with Liquid Web’s VPS hosting, dedicated server hosting plans, and cloud hosting solutions. Tailored for mission-critical businesses, Liquid Web hosting solutions offer unparalleled performance, reliability, and support protocols. Whether you need complete control of a dedicated setup or the flexibility of our cloud solutions, Liquid Web delivers a seamless and innovative hosting experience.

Was this article helpful?

Thank you for your input.

Thank you for your feedback.