Install and Configure SSH Server on Ubuntu 22.04|20.04

Posted on 71 views

If you performed an installation of Ubuntu 22.04 or Ubuntu 20.04 from from a CD ISO image, the OpenSSH server and client packages are installed alongside OS base installation. You need to manually install and configure OpenSSH server to enable remote logins through ssh client. OpenBSD Secure Shell, commonly known as OpenSSH is a set of applications that provides encrypted communication sessions over Secure Shell (SSH) protocol. It is a standard way of accessing both Linux and Unix servers remotely over the internet.

In this article we will discuss the installation and configuration of SSH Server on Ubuntu 22.04|20.04 Linux machine. The article can be used for Desktop or Server editions of Ubuntu OS. In most cloud instances, OpenSSH server is installed and configured to start at system boot. We have a dedicated article on how to install the latest Ubuntu OS 22.04, in case you’re interested.

Once the OS is installed, login as root or standard user with sudo privileges and continue to configure OpenSSH server on Ubuntu 22.04 / Ubuntu 20.04 Linux system.

Step 1) Install OpenSSH Server packages on Ubuntu 22.04|20.04

We shall start with OpenSSH server installation process onUbuntu 22.04|20.04. But first, update OS package list as configured in sources repositories:

$ sudo apt update
Get:1 http://security.ubuntu.com/ubuntu jammy-security InRelease [90.7 kB]
Hit:2 http://ke.archive.ubuntu.com/ubuntu jammy InRelease
Get:3 http://ke.archive.ubuntu.com/ubuntu jammy-updates InRelease [90.7 kB]
Get:4 http://ke.archive.ubuntu.com/ubuntu jammy-backports InRelease [90.7 kB]
Fetched 272 kB in 2s (163 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
45 packages can be upgraded. Run 'apt list --upgradable' to see them.

Thereafter, install OpenSSH Server packages on Ubuntu 22.04|20.04 using the commands below:

$ sudo apt install openssh-server
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  openssh-sftp-server runit-helper
Suggested packages:
  molly-guard monkeysphere ssh-askpass ufw
The following NEW packages will be installed:
  openssh-server openssh-sftp-server runit-helper
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 446 kB of archives.
After this operation, 1,765 kB of additional disk space will be used.
Do you want to continue? [Y/n] y

After the installation of OpenSSH server, start ssh service:

sudo systemctl start ssh

It is recommended to enable the service to start with the OS. This will ensure you’re not logged out of the system it the system is rebooted.

$ sudo systemctl enable ssh
Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ssh

The command below will show the status of the service. If everything went as expected it should be in running state..

$ systemctl status ssh
 ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2021-11-11 12:12:16 EAT; 1h 47min ago
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 657 (sshd)
      Tasks: 1 (limit: 9482)
     Memory: 6.1M
        CPU: 84ms
     CGroup: /system.slice/ssh.service
             └─657 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

Nov 11 12:12:16 ubuntu22 systemd[1]: Starting OpenBSD Secure Shell server...
Nov 11 12:12:16 ubuntu22 sshd[657]: Server listening on 0.0.0.0 port 22.
Nov 11 12:12:16 ubuntu22 sshd[657]: Server listening on :: port 22.
Nov 11 12:12:16 ubuntu22 systemd[1]: Started OpenBSD Secure Shell server.

The OpenSSH server configuration file is /etc/ssh/sshd_config. The file contains keyword-argument pairs, one per line. All the lines starting with # and empty lines are interpreted as comments.

Step 2) Copy your SSH Public key from Workstation to Ubuntu system

Before you can disable password authentication for SSH, you need to copy SSH public keys from workstation to the server or remote Ubuntu Desktop machine.

Generate SSH keys if you don’t have them already on your Workstation OS – the command provided works for Linux and macOS:

$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/computingpost/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/computingpost/.ssh/id_rsa
Your public key has been saved in /home/computingpost/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:OYXlyX/3nXMdSz581TDOnl78PPXAv31h03GI39bu9x8 [email protected]
The key's randomart image is:
+---[RSA 3072]----+
|          .      |
|         = .     |
|        . =  .o. |
|         o ..o.+o|
|        S   .o++O|
|         .   oBB#|
|              +E&|
|             . +#|
|              .o#|
+----[SHA256]-----+

Get the private or Private IP address of the remote Ubuntu system:

$ ip address
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp1s0:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:13:e7:d6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.200.46/24 brd 192.168.200.255 scope global dynamic noprefixroute enp1s0
       valid_lft 3519sec preferred_lft 3519sec
    inet6 fe80::bfeb:53e3:8760:78ee/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

My Ubuntu 22.04 Server IP address is192.168.200.46. Ping the IP address to confirm network connectivity from your workstation machine:

$ ping -c 3 192.168.200.46
PING 192.168.200.46 (192.168.200.46): 56 data bytes
64 bytes from 192.168.200.46: icmp_seq=0 ttl=63 time=188.575 ms
64 bytes from 192.168.200.46: icmp_seq=1 ttl=63 time=181.137 ms
64 bytes from 192.168.200.46: icmp_seq=2 ttl=63 time=192.178 ms

--- 192.168.200.46 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 181.137/187.297/192.178/4.597 ms

After confirming you can access remote Ubuntu server from your Workstation, copy SSH public key:

$ ssh-copy-id ubuntu@192.168.200.46
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Warning: Permanently added '192.168.200.46' (ECDSA) to the list of known hosts.
[email protected]'s password: 

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

Where:

  • ubuntu is the remote user account
  • 192.168.200.46 is the IP address of remote Ubuntu system

Test SSH connectivity to remote Ubuntu system after copying SSH Pubkey. You should not be prompted for User Password, but maybe SSH private key keyphrase if it was set.

$ ssh  [email protected]
Warning: Permanently added '192.168.200.46' (ECDSA) to the list of known hosts.
Enter passphrase for key '/Users/jmutai/.ssh/id_rsa':
Welcome to Ubuntu Jammy Jellyfish (development branch) (GNU/Linux 5.13.0-19-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

45 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Thu Nov 11 13:55:16 2021 from 192.168.200.1

Step 3) Disabling remote SSH for root user (Optional)

To get improved security in your remote Ubuntu system, consider disabling root user ssh login.

On remote Ubuntu system, edit SSH server configuration file and set parameter to disable root access through ssh:

$ sudo vim /etc/ssh/sshd_config
PermitRootLogin no

There is also an option of allowing root user authenticate with any other allowed mechanism that is not password or keyboardinteractive. For this set like below:

PermitRootLogin prohibit-password

With above configurations, we’ll be able to login as root user with SSH private key. Only that SSH public key should have been copied to the system before SSH server service is restarted:

$ ssh-copy-id root@192.168.200.46
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/jmutai/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Warning: Permanently added '92.168.200.46' (ECDSA) to the list of known hosts.
[email protected]'s password:

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

Restart SSH service to apply new configurations in the file.

sudo systemctl restart ssh
systemctl status ssh

Step 4) Disabling SSH Password Authentication (Optional)

Password authentication on SSH can be disabled completely. The only way to login over SSH will be with the use of SSH keys.

Set PasswordAuthentication keyword to no to disallow password authentication for all users:

$ sudo vim /etc/ssh/sshd_config
PasswordAuthentication no

Restart SSH service for the new change to take effect.

sudo systemctl restart ssh

SSH authentication without a public key will definitely fail.

$ ssh ubuntu@192.168.200.46
[email protected]: Permission denied (publickey).

When SSH Public key is not in the default ~/.ssh/id_rsa, use -i to pass manual path for the identity:

$ ssh ubuntu@192.168.200.46 -i /path/to/privkey

Conclusion

In Conclusion, OpenSSH server has been installed and configured successfully on Ubuntu 22.04/20.04 Linux machine. We dived further to extra configurations such as disabling root user login and password ssh authentication. In our future guides we shall cover more topics relating to OpenSSH. Stay connected for updates!.

More useful guides on SSH.

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.