A Quick Guide to SSH for Secure Linux Connections

In the world of Linux and remote system administration, secure communication is paramount. Whether you’re managing a server in a data center, accessing a Raspberry Pi at home, or collaborating with a team across the globe, Secure Shell (SSH) is the gold standard for encrypted remote access. Unlike legacy protocols like Telnet—which transmit data in plaintext—SSH encrypts all traffic, ensuring confidentiality and integrity. This guide will demystify SSH, from core concepts to practical usage, and equip you with best practices to secure your connections. By the end, you’ll confidently use SSH to connect to remote Linux systems, transfer files, and harden your setup against common threats.

Table of Contents

1. Fundamental Concepts: What is SSH?

   • How SSH Works
   • SSH Protocol Versions
   • Key Components

2. Basic SSH Usage: Getting Started

   • Installing SSH
   • Connecting to a Remote Server
   • Running Remote Commands
   • File Transfer with SCP and SFTP

3. Common Practices: Streamlining Workflows

   • Generating SSH Key Pairs
   • Copying Public Keys to Remote Servers
   • Using the SSH Config File

4. Best Practices: Securing Your SSH Setup

   • Disable Password Authentication
   • Change the Default SSH Port
   • Limit User Access
   • Enable Two-Factor Authentication (2FA)
   • Use SSH Agents for Key Management
   • Keep SSH Software Updated

5. Conclusion

6. References

Fundamental Concepts: What is SSH?

SSH (Secure Shell) is a network protocol that enables secure remote access to computers over an unsecured network. It was designed to replace insecure protocols like Telnet and FTP, which transmit data (including passwords) in plaintext.

How SSH Works

SSH uses a combination of asymmetric encryption (for key exchange), symmetric encryption (for session data), and hashing (for integrity checks) to secure connections:

1. Handshake & Key Exchange: When a client connects to an SSH server, they perform a handshake to agree on encryption algorithms and authenticate each other. The server sends its public key, and the client verifies it (to prevent man-in-the-middle attacks).
2. Session Encryption: After authentication, a symmetric session key is generated (using the server’s public key and client’s private key) to encrypt all subsequent data.
3. Authentication: Users can authenticate via passwords, SSH keys (more secure), or two-factor methods.

SSH Protocol Versions

• SSH-1: Legacy version (1995) with known security flaws (e.g., weak encryption, no replay protection). Never use SSH-1.
• SSH-2: Current standard (2006) with robust security, improved encryption (AES, ChaCha20), and support for advanced features like key-based auth and port forwarding. All modern SSH implementations (e.g., OpenSSH) use SSH-2 by default.

Key Components

• SSH Client: Software on the local machine (e.g., ssh command-line tool, PuTTY, Termius).
• SSH Server: Daemon on the remote machine (e.g., sshd for OpenSSH) that listens for incoming connections (default port: 22).
• SSH Keys: A pair of cryptographic keys (public and private) used for passwordless authentication. The public key is stored on the server, and the private key remains on the client.

Basic SSH Usage: Getting Started

Prerequisites

Most Linux distributions preinstall the OpenSSH client (openssh-client). To check:

ssh -V  # Should return "OpenSSH_<version>"

If missing, install it:

# Debian/Ubuntu
sudo apt install openssh-client  

# RHEL/CentOS
sudo dnf install openssh-clients  

# Fedora
sudo yum install openssh-clients  

For the server (remote machine), install the OpenSSH server:

# Debian/Ubuntu
sudo apt install openssh-server  

# RHEL/CentOS/Fedora
sudo dnf install openssh-server  

# Start and enable the service
sudo systemctl enable --now sshd  

Connecting to a Remote Server

The basic syntax to connect is:

ssh [username]@[remote_host]  

Example: Connect to a server with IP 192.168.1.100 as user alice:

ssh [email protected]  

• If the server uses a non-default port (not 22), specify it with -p:

  ssh -p 2222 [email protected]  

• On first connection, you’ll see a prompt to verify the server’s public key fingerprint. Type yes to trust it (stored in ~/.ssh/known_hosts).

Running Remote Commands

Execute a single command on the remote server without logging in:

ssh [email protected] "ls -l /home/alice"  

For interactive commands (e.g., editing a file), use -t to force a terminal:

ssh -t [email protected] "nano /etc/nginx/nginx.conf"  

File Transfer with SCP and SFTP

SSH includes tools for secure file transfer:

SCP (Secure Copy)

Copy a local file to a remote server:

scp /path/to/local/file [email protected]:/path/to/remote/directory  

Copy a remote file to your local machine:

scp [email protected]:/path/to/remote/file /path/to/local/directory  

SFTP (Secure File Transfer Protocol)

Interactive file transfer session (similar to FTP):

sftp [email protected]  

Use commands like ls, cd, put (upload), get (download), and exit within the SFTP shell.

Common Practices: Streamlining Workflows

Generating SSH Key Pairs

Key-based authentication is more secure than passwords. Generate a key pair with ssh-keygen:

ssh-keygen -t ed25519 -C "[email protected]"  

• -t ed25519: Uses the Ed25519 algorithm (more secure and efficient than RSA).
• -C: Adds a comment (e.g., email) to identify the key.

Follow prompts to save the key (default: ~/.ssh/id_ed25519) and set a passphrase (optional but recommended for extra security).

Copying Public Keys to Remote Servers

To enable key-based login, copy your public key to the remote server’s ~/.ssh/authorized_keys file. Use ssh-copy-id for simplicity:

ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]  

• If ssh-copy-id isn’t available, manually copy the public key:

  cat ~/.ssh/id_ed25519.pub | ssh [email protected] "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"  

Now you can log in without a password (or with your key’s passphrase if set).

Using the SSH Config File

Simplify connections with ~/.ssh/config (create it if missing). Define aliases, ports, and keys for frequent hosts:

# ~/.ssh/config
Host webserver
  HostName example.com
  User alice
  Port 2222
  IdentityFile ~/.ssh/id_ed25519
  IdentitiesOnly yes  # Use only specified key

Host pi
  HostName 192.168.1.101
  User bob
  IdentityFile ~/.ssh/pi_key

Now connect with just:

ssh webserver  # Equivalent to ssh -p 2222 [email protected]
ssh pi         # Equivalent to ssh [email protected]

Best Practices: Securing Your SSH Setup

Disable Password Authentication

Once key-based auth works, disable password logins to block brute-force attacks. Edit the SSH server config (/etc/ssh/sshd_config):

sudo nano /etc/ssh/sshd_config  

Set:

PasswordAuthentication no
ChallengeResponseAuthentication no

Save and restart the SSH service:

sudo systemctl restart sshd  

Test first! Open a new terminal and verify key-based login works before closing your current session (to avoid locking yourself out).

Change the Default SSH Port

Attackers often scan port 22. Change it to a non-standard port (e.g., 2222) in sshd_config:

# /etc/ssh/sshd_config
Port 2222  # Choose a port between 1024-65535

Restart sshd and update firewall rules (e.g., UFW):

sudo ufw allow 2222/tcp  
sudo ufw reload  

Limit User Access

Restrict which users/groups can SSH in via sshd_config:

# Allow only specific users
AllowUsers alice [email protected]/24  # alice (any IP) and bob (only local subnet)

# Allow only specific groups
AllowGroups ssh-users  

Enable Two-Factor Authentication (2FA)

Add an extra layer of security with 2FA (e.g., TOTP apps like Google Authenticator).

1. Install the PAM module:

   sudo apt install libpam-google-authenticator  # Debian/Ubuntu

2. Run google-authenticator and follow prompts to generate a QR code. Scan it with your app.

3. Edit sshd_config to enable challenge-response auth:

   ChallengeResponseAuthentication yes
   UsePAM yes

4. Edit PAM config (/etc/pam.d/sshd) to require 2FA:

   auth required pam_google_authenticator.so

Use SSH Agents for Key Management

If you use a passphrase with your SSH key, avoid retyping it by using ssh-agent (runs in the background and caches keys):

eval "$(ssh-agent -s)"  # Start the agent
ssh-add ~/.ssh/id_ed25519  # Add your key (enter passphrase once)

For persistence across sessions, add the agent startup to your shell config (e.g., ~/.bashrc or ~/.zshrc).

Keep SSH Software Updated

Regularly update OpenSSH to patch security vulnerabilities:

# Debian/Ubuntu
sudo apt update && sudo apt upgrade openssh-server  

# RHEL/CentOS/Fedora
sudo dnf update openssh-server  

Conclusion

SSH is an indispensable tool for secure Linux administration. By mastering its fundamentals—key-based authentication, file transfer, and configuration—you can streamline workflows while keeping your systems protected. Always prioritize security best practices like disabling passwords, limiting access, and enabling 2FA to mitigate risks.

With this guide, you’re well-equipped to use SSH confidently and securely in any Linux environment.

References

• OpenSSH Official Documentation
• SSH Protocol Overview (SSH.com)
• sshd_config Man Page
• Ed25519: High-Security Elliptic Curve Signatures
• UFW Firewall Guide