The SSH service is the first thing you should configure on a Linux system. With OpenSSH you get a set of tools – including ssh, sshd, scp, etc. – that allow you to enable secure remote shell access to your machine. If you come from the “telnet” era, you should forget about it; its replacement today is SSH.
SSH Configuration
Let’s look at the SSH configuration I use on my server and on a client. You can find much more information in the OpenSSH documentation.
Server
Let’s see the three most important options
- Installation on Gentoo:
emerge -v openssh - Start on Gentoo:
/etc/init.d/sshd start - Start at boot on Gentoo:
rc-update add sshd default
Check the file /etc/ssh/sshd_config before starting SSH. In my case I prevent root login (PermitRootLogin), disable PAM (UsePAM) and forbid regular user password authentication (PasswordAuthentication), so the only option left is using a public/private key pair :-)
- Example configuration
/etc/ssh/sshd_config
PubkeyAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey
UsePAM no
X11Forwarding yes # !! X11 !!
X11DisplayOffset 10 # !! X11 !!
X11UseLocalhost yes # !! X11 !!
AddressFamily inet
PrintMotd no
PrintLastLog no
Subsystem sftp /usr/lib64/misc/sftp-server
AcceptEnv LANG LC_*
Client
Below is the configuration of an SSH client – the one I use most often, which comes with MacOS.
- SSH client configuration on MacOS
/Users/luis/.ssh/config
PubkeyAuthentication yes
Host *
ForwardAgent yes
ForwardX11 yes
ForwardX11Trusted yes
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h-%p
ControlPersist 600
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_ed25519
Public/Private Key Generation
Let’s see how to generate the key pair. On the “client” computer, in this example the keys will be stored in the /Users/luis/.ssh/ directory – one file named id_ed25519 (private key that you should never share with anyone) and the file id_ed25519.pub which you need to send to the server.
luis@idefix ~ $ ssh-keygen -t ed25519 -a 200 -C "luis@idefix" -f ~/.ssh/id_ed25519
:
- Sending the public key to the Server
The next step is to send the $HOME/.ssh/id_ed25519.pub file to the Server. It’s a text file and you need to append its contents to the server’s $HOME/.ssh/authorized_keys file for the user you’ll connect as.
luis@servidor ~ $ cat /tmp/id_ed25519.pub >> .ssh/authorized_keys
Connecting from the client
Connecting from the client. We go back to the client computer and connect to the server
luis2idefix ~ $ ssh servidor.midominio.com
Don’t miss the post about X11 from root, where I discuss SSH again and cover additional options.