Skip to main content
โšก Calmops
๐Ÿค– AI ๐Ÿ—๏ธ Architecture ๐ŸŒ Web ๐Ÿ—ƒ๏ธ Database โš™๏ธ DevOps ๐ŸŒ Network ๐Ÿ’ป Programming ๐Ÿงฎ Algorithms ๐Ÿ“ Software Eng. โ˜๏ธ Cloud ๐Ÿ”’ Security ๐Ÿ“ˆ Finance More โ†’

Maintaining SSHD

OpenSSH Server Maintenance

Created: February 21, 2022 2 min read

Install OpenSSH Server

On Ubuntu/Debian:

sudo apt update
sudo apt install openssh-server

On CentOS/RHEL:

sudo yum install openssh-server  # or dnf for newer versions

On Arch Linux:

sudo pacman -S openssh

Start the service:

sudo systemctl start ssh
sudo systemctl enable ssh  # Enable on boot

Test the Configuration File

Before restarting, test the config for syntax errors:

sudo sshd -T

If there are errors, fix them in /etc/ssh/sshd_config and retest.

Backup the SSHD Configuration File

Always backup the config before editing:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

To restore the default config (if needed):

sudo cp /usr/share/openssh/sshd_config /etc/ssh/sshd_config

Start and Stop SSHD

Using systemd (recommended):

sudo systemctl start ssh
sudo systemctl stop ssh
sudo systemctl restart ssh
sudo systemctl reload ssh  # Reload config without stopping

Using init.d (older systems):

sudo /etc/init.d/ssh start
sudo /etc/init.d/ssh stop
sudo /etc/init.d/ssh restart

Check status:

sudo systemctl status ssh

Generate Host Keys

If host keys are missing or corrupted:

sudo ssh-keygen -A

This generates keys in /etc/ssh/.

Privilege Separation User Issue

If you encounter “Privilege separation user sshd does not exist”, add the user to /etc/passwd:

echo 'sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin' | sudo tee -a /etc/passwd

Then restart the service.

Common Configurations

Edit /etc/ssh/sshd_config and reload after changes.

  • Change default port (e.g., to 2222):

    Port 2222

  • Disable root login:

    PermitRootLogin no

  • Allow only key-based authentication:

    PasswordAuthentication no

  • Limit users:

    AllowUsers user1 user2

Firewall Configuration

Allow SSH through the firewall:

Using ufw (Ubuntu):

sudo ufw allow ssh
# Or for custom port: sudo ufw allow 2222

Using firewalld (CentOS/RHEL):

sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

Key-Based Authentication

To set up SSH keys for passwordless login:

  1. Generate key pair on client:

    ssh-keygen -t rsa -b 4096

  2. Copy public key to server:

    ssh-copy-id user@server

  3. Ensure on server:

    PubkeyAuthentication yes

Troubleshooting

  • Connection refused: Check if SSH is running (systemctl status ssh), firewall, and port.
  • Permission denied: Verify keys, permissions on ~/.ssh (700), ~/.ssh/authorized_keys (600).
  • Host key verification failed: Remove old key from ~/.ssh/known_hosts on client.
  • Slow login: Disable DNS lookups in config: UseDNS no

Security Best Practices

  • Use non-standard port.
  • Disable password authentication.
  • Use fail2ban to prevent brute-force attacks.
  • Keep SSH updated.
  • Monitor logs: sudo journalctl -u ssh

References

Comments