OpenSSH

OpenSSH is one of the most important tools for a system administrator. It allows
controlling a system without having to input data on the system itself, but via
network connection.

Installation

The Installation is different for the various Linux distributions. Most of the
time the package is called something like openssh.

pacman --needed -S openssh
yum install openssh-server openssh-clients

Usage

The OpenSSH Server by default uses TCP with the Port 22. It may be necessary
to allow the port in the firewall to be able to access the server.

Starting the Server is just a matter of using.

systemctl start openssh

By default, all Users are allowed to connect to the Server using their password.
It is, however, best practice to change that to only allow connections via
public key. But before we can do that, it is necessary to create a public key
on the client with the following command.

ssh-keygen -C "<email or other identifier>"

Afterwards, we can get the public key from the ~/.ssh/id_rsa.pub file and put
it in the ~/.ssh/authorized_keys file on the server. We should now be able to
connect from our client to the server using only the public key. To test that
use the following command on the client.

ssh <hostname or ip> -l <username>

Only proceed to the next step if you are able to connect with the upper command
to the server without using your password. The next step involves changing the
configuration to only allow public key authentication. To do that we will
change the following entries in the /etc/ssh/sshd_config file on the server.

PasswordAuthentication no

You may also want to update the PermitRootLogin to no if you're not using
the root account to administrate your server. This, however, is optional. The
last step is to automatically start OpenSSH when the server is restarted. We
can do that by enabling the server with systemd.

systemctl enable openssh

OpenSSH with socket

The OpenSSH Server can also run as a Socket. The advantage of doing that is that
updates don't require restarting the OpenSSH server as each connection is
creating a new instance of the OpenSSH daemon. In other words, after an update,
you can connect with a second session to the OpenSSH daemon to check whether it
is still working before disconnecting your first session. The disadvantage,
however, is that it takes a bit longer to connect, as the OpenSSH daemon must be
started for each connection.

The first step to change OpenSSH to a socket connection is to switch the enabled
service in systemd with the following command.

systemctl disable sshd
systemctl enable sshd.socket

If your OpenSSH daemon is already running that you have to stop it before you
can enable the socket. This, however, might be tricky, as you probably are
connected to the server via OpenSSH. Therefore, we are issuing the following
command as a single statement, to make sure that the OpenSSH daemon gets stopped
and the OpenSSH socket gets started. Running this command might require you to
reconnect to the server, 'cause your current connection might get killed.

systemctl stop sshd && systemctl start sshd.socket

OpenSSH on a different port

OpenSSH may also be used on a different port than 22. This is especially useful
'cause a lot of servers are trying to randomly connect to open 22 Ports. What
port you want to use is pretty much up to you. However, it is best to use one of
the user ports ranging from 1024 to 49151.

To change the port, we have to modify the /etc/ssh/sshd_config file and update
the Port to a new value like 5000.

Port 5000

Afterwards, we can restart the OpenSSH Server with:

systemctl restart sshd

Changing the Port on the sshd socket requires a different step. In this case, it
is not the sshd configuration with defines the port, but the sshd.socket file.
Therefore, we have to change the ListenStream entry in.
/usr/lib/systemd/system/sshd.socket to reflect the new port.

ListenStream=5000

Afterwards, we can restart the OpenSSH Server Socket with:

systemctl restart sshd.socket