SSH Explained
Basic SSH concepts explained in a public-safe way.
SSH stands for Secure Shell. It is used to securely connect to another computer over a network.
What is SSH?
SSH lets you log in to a remote system from a terminal.
Basic example:
ssh user@example-server
This means:
connect to example-server as user
Why SSH is useful
SSH is commonly used to:
log in to servers
run commands remotely
copy files securely
manage Linux systems
use SSH keys instead of passwords
tunnel traffic securely
Basic SSH command
ssh USERNAME@SERVER_NAME
Example:
ssh user@example-server
Using an IP address:
ssh [email protected]
SSH port
SSH usually listens on port:
22/tcp
Check if SSH is listening on a server:
ss -tulpn | grep :22
Check SSH service:
systemctl status sshd
SSH client and SSH server
There are two sides:
SSH client = the computer you connect from
SSH server = the computer you connect to
Client command:
ssh user@example-server
Server service:
sshd
Check server service:
systemctl status sshd
Password login
SSH can allow password login.
Example:
ssh user@example-server
Then type the user password when prompted.
Password login may be disabled on more secure systems.
SSH key login
SSH keys are more secure and convenient than passwords.
A key pair has two parts:
private key = stays on your computer
public key = copied to the server
Important:
Never share the private key.
Only share the public key.
Generate an SSH key
For most modern systems:
ssh-keygen -t ed25519 -C "your_note"
Example:
ssh-keygen -t ed25519 -C "laptop key"
For RHEL systems using FIPS mode, use RSA instead:
ssh-keygen -t rsa -b 4096 -C "your_note"
Common SSH key files
Default Ed25519 key:
~/.ssh/id_ed25519
~/.ssh/id_ed25519.pub
Default RSA key:
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
Meaning:
file without .pub = private key
file with .pub = public key
Show public key
cat ~/.ssh/id_ed25519.pub
For RSA:
cat ~/.ssh/id_rsa.pub
Copy only the public key to the server.
Add public key to server
On the server, the userβs public keys are stored in:
/home/USERNAME/.ssh/authorized_keys
Create the directory:
sudo mkdir -p /home/USERNAME/.ssh
Edit authorized keys:
sudo nano /home/USERNAME/.ssh/authorized_keys
Paste the public key.
Set ownership:
sudo chown -R USERNAME:USERNAME /home/USERNAME/.ssh
Set permissions:
sudo chmod 700 /home/USERNAME/.ssh
sudo chmod 600 /home/USERNAME/.ssh/authorized_keys
Use ssh-copy-id
If password login is allowed, this is easier:
ssh-copy-id USERNAME@example-server
Using a specific public key:
ssh-copy-id -i ~/.ssh/id_ed25519.pub USERNAME@example-server
Use a specific private key
ssh -i ~/.ssh/key_name USERNAME@example-server
Example:
ssh -i ~/.ssh/server01_ed25519 user@example-server
SSH config file
The SSH client config file can make connections easier.
File:
~/.ssh/config
Example:
Host server01
HostName example-server
User user
IdentityFile ~/.ssh/server01_ed25519
Then connect with:
ssh server01
Useful SSH options
Verbose mode
ssh -v user@example-server
More detail:
ssh -vv user@example-server
Maximum common detail:
ssh -vvv user@example-server
Use this for troubleshooting.
Specify port
ssh -p PORT user@example-server
Example:
ssh -p 2222 user@example-server
Run one remote command
ssh user@example-server "hostnamectl"
Copy files with scp
Copy local file to server:
scp file.txt user@example-server:/tmp/
Copy file from server to local machine:
scp user@example-server:/tmp/file.txt .
Copy files with rsync
Copy folder to server:
rsync -av folder/ user@example-server:/tmp/folder/
Copy from server:
rsync -av user@example-server:/tmp/folder/ ./folder/
SSH server config
Main config file:
/etc/ssh/sshd_config
Extra config directory may exist:
/etc/ssh/sshd_config.d/
Check config syntax:
sudo sshd -t
Restart SSH:
sudo systemctl restart sshd
Be careful when restarting SSH remotely. Keep another session open.
Important SSH server settings
Common settings:
PasswordAuthentication
PubkeyAuthentication
PermitRootLogin
AllowUsers
AllowGroups
DenyUsers
DenyGroups
AuthorizedKeysFile
Search settings:
sudo grep -Ei "PasswordAuthentication|PubkeyAuthentication|PermitRootLogin|AllowUsers|AllowGroups|DenyUsers|DenyGroups|AuthorizedKeysFile" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* 2>/dev/null
Troubleshooting SSH login
First checks:
getent passwd USERNAME
id USERNAME
ls -ld /home/USERNAME
ls -ld /home/USERNAME/.ssh
ls -l /home/USERNAME/.ssh/authorized_keys
systemctl status sshd
ss -tulpn | grep :22
journalctl -u sshd -n 100
sudo tail -n 100 /var/log/secure
Common SSH problems
wrong username
wrong server
wrong key
private key permissions too open
authorized_keys permissions wrong
home directory permissions wrong
account locked
user shell is /sbin/nologin
SSH service not running
firewall blocking port 22
PasswordAuthentication disabled
PubkeyAuthentication disabled
FIPS system using unsupported key type
Correct SSH permissions
Client side:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub
Server side:
sudo chmod 700 /home/USERNAME/.ssh
sudo chmod 600 /home/USERNAME/.ssh/authorized_keys
sudo chown -R USERNAME:USERNAME /home/USERNAME/.ssh