OpenSSH
Contents
OpenSSH
OpenSSH (Open Secure Shell) is a free and open-source implementation of the SSH (Secure Shell) protocol. It provides a suite of tools for securely accessing and managing remote systems over an encrypted connection. OpenSSH is developed by the OpenBSD Project and is the most widely used SSH implementation on Unix-like systems, including Linux, BSD, and macOS.
OpenSSH is the default SSH client and server on most Linux distributions, including Debian, Ubuntu, Red Hat, and Arch Linux.
Key Features
- **Secure remote login** – Provides encrypted terminal access to remote machines
- **Public key authentication** – Enables secure, passwordless login using cryptographic key pairs
- **Secure file transfer** – Tools like `scp` and `sftp` for transferring files
- **Port forwarding and tunneling** – Forward local or remote ports over SSH
- **Agent forwarding** – Temporarily use local SSH keys on remote systems
- **Configurable access control** – Fine-grained SSH access rules via `sshd_config`
OpenSSH Tools
OpenSSH includes a set of command-line tools:
- ssh – Secure remote shell client
- sshd – SSH daemon (server)
- scp – Secure file copy
- sftp – Secure FTP-like file transfer interface
- ssh-keygen – Generate and manage SSH key pairs
- ssh-agent – SSH key agent for managing private keys
- ssh-add – Add keys to the agent
- ssh-copy-id – Install public key on a remote server
- ssh-keyscan – Retrieve public keys from a host
Installation
On Debian-based systems (e.g., Debian, Ubuntu):
<syntaxhighlight lang="bash"> sudo apt update sudo apt install openssh-server </syntaxhighlight>
Start and enable the SSH service:
<syntaxhighlight lang="bash"> sudo systemctl start ssh sudo systemctl enable ssh </syntaxhighlight>
To check SSH server status:
<syntaxhighlight lang="bash"> sudo systemctl status ssh </syntaxhighlight>
Configuration
The SSH server is configured via:
<syntaxhighlight lang="bash"> /etc/ssh/sshd_config </syntaxhighlight>
Common settings include:
- `Port 22` – Default port (can be changed for security)
- `PermitRootLogin no` – Disables root login
- `PasswordAuthentication no` – Enforces key-based login
- `AllowUsers` – Restrict login to specific users
After making changes, restart the service:
<syntaxhighlight lang="bash"> sudo systemctl restart ssh </syntaxhighlight>
Security Practices
- Use **SSH keys** instead of passwords
- Disable **root login**
- Change the default port
- Install tools like fail2ban to block brute-force attacks
- Monitor login attempts in `/var/log/auth.log`
Use Cases
- Remote server administration
- Secure file transfers (seedboxes, VPS, cloud instances)
- Git and code deployments (e.g., via `git@`)
- Remote backups and scripting automation
- Encrypted tunnels for securing other network services
Related Software
- PuTTY – SSH client for Windows
- WinSCP – Graphical SCP/SFTP client for Windows
- MobaXterm – Advanced SSH terminal with file browser and X server
- Dropbear SSH – Lightweight SSH alternative for embedded systems
