Configure SSH Access
SSH remote access is useful for example in the case of a headless server or a remote machine, where you want to have control or administer it. Let’s see in this guide how we can set up an SSH server for the mentioned purpose.
Set a static IP address
On* the SERVER SIDE (host you want to control) and as a rule of thumb, setting a static IP address is the first step, since you do not want to have random IPs provided by an DHCP server. Here are 2 sources:
Install required dependencies dependencies
Not is is time to install what is needed, so:
$ sudo pacman -S openssh
Start and enable services
In this step we want to start, check status and enable the required services, so let’s follow these commands, they are self-explanatory:
$ sudo systemctl start sshd
The last command started our SSH service, so let’s double check that is already started:
$ sudo systemctl status sshd
The ‘sshd; service should be up and running but it will NOT start automatically, so let’s make sure that happens by enabling it at start-up time:
$ sudo systemctl enable sshd
A first SSH test
At this point, we should be able to connect to our remote machine via SSH default port (22) with user/pass credentials, so ON THE CLIENT SIDE run:
# Example: [email protected]
$ ssh USERNAME@IP_ADDRESS
If you are asked (very likely), add a confirmation to add the ‘fingerprint’ to the ‘known_hosts’ and then type your password.
Securing our SSH server
There are a couple of things that are ‘kind of’ mandatory in order to add an extra layer of security to our SSH Server.
Change the default SSH Port
We can achieve this by editing the file
$ sudo vim /etc/ssh/sshd_config
Let’s search and uncomment the option ‘Port’ and assign any other number, for example 844.
Disable user/pass authentication
This is very IMPORTANT, otherwise we are opening doors to brute force attacks against our SSH Server. In order to mitigate this issue first check this article:
Once we have our SSH keys generated ON THE CLIENT SIDE, we have to copy the content of our
.pub file and paste it at the bottom of the file
~/.ssh/authorized_keys on the SERVER SIDE. That’s it, we should be able to connect without user/pass credentials. Please continue reading.
AttentionWe will have to generate keys per client willing to connect to our SSH server. We could also share the client keys, but this is NOT A GOOD PRACTICE.
In the file
/etc/ssh/sshd_config, we could also polish even more our
sshd settings, depending on our needs and setup:
- X11Forwarding: Enabling X forwarding makes our system vulnerable to X11 related issues. So it’s a good idea to set it to NO.
- PermitRootLogin: We should NOT ALLOW root users to login directly to the system, so let’s set it to NO.
Restart your service
In order for the changes to take effect, let’s restart our service:
$ sudo systemctl restart sshd
Now let’s try out our setup:
# Example: ssh -p 844 [email protected]
$ ssh -p 844 USERNAME@IP_ADDRESS
-p argument serves to specify the custom port we have already configured.
Connection should succeed, thus allowing us to fully administer the remote remote machine via SSH.
- OpenSSH Arch Linux wiki
- Secure Shell Arch Linux wiki
- Arch Linux SSH server
- SSH Timeout
- How to configure X11 forwarding using SSH