How to Install SSH Server on Linux Startup and Roles of Different sshd processes Configuration File Logging Debugging SSH Connection Problems SSH Client -v Option Log Files Run the Server in Debug Mode Command-Line Options Getting Version Number of the Installed Server The SSH server usually comes up as a readily installable package on most linux distributions. However, it is not always installed by default. You can try On Debian-derived distributions, the command to install an SSH server is usually: On Red Hat derived distributions, the command would usually be: These commands must be run as root. If the server does not start automatically, try using the To get an SSH server for Windows, see Tectia SSH. To get one for IBM z/OS mainframes, see Tectia SSH for Mainframes. The For example, it is easy to see in the following output that process 2183 is the master server. The other If the SSH server is upgraded or restarted, only the master server is generally restarted. The server has been designed so that the server processes serving existing connections continue to operate. This minimizes the disruption to users when, for example, server configuration is changed. The easiest way to restart the SSH server is usually to use It is also possible to kill individual processes by killing the server process for a particular user, terminal, or command. This could be done, e.g., using the It is also possible to run multiple master The SSH server has a configuration file, usually The SSH server uses the syslog subsystem for logging. There are many ways to configure On most systems, Both the Sometimes logging into an SSH server just doesn't seem to work, and it can be difficult to figure out what the problem is. There are basically three tools that help diagnose connection and authentication problems: The first approach is to add the This will print verbose debugging output that can usually identify what the problem is. Thigs to check include: Does it successfully establish the TCP connection to server? If not, it could be DNS or routing problem or the server could be down. If the output includes Check the user name that it is trying to authenticate as. Look for a line containing Check that it successfully negotiates encryption. If you see a line containing Look at the authentication methods the server is willing to accept. Look for lines containing If you see a line containing It is fairly common for Looking at the log files can often reveal insights into the cause of the problem. The messages sent to the client are intentionally designed to reveal quite little about the user being logged in as. This is for security reasons. For example, we don't want attacker to be able to test which user accounts exist on a target system. More information about, e.g., authentication failures can often be found in the log file. A system administrator can manually run the server with the It may be desirable to run the new server in a different port then the normal server, so as to not prevent new connections to the server (especially if it remote!). In this case, the server would be run (as root) with something like It is rare to have to manually provide command options for the SSH server. Generally only people repackaging SSH or creating new linux distributions or new embedded platforms (e.g., IoT devices) would do this. The following options are available in OpenSSH: -4 Only use IPv4 addresses. This might be used in environments where DNS gives IPv6 addresses but routing does not work for them. -6 Only use IPv6 addresses. This might be used for testing to make sure IPv6 connectivity works. -C -c -D Do not detach and become daemon. This is often used when -d Enables debug mode. The server does not fork, and will exit after processing a single connection. This can be used for diagnosing user authentication and other problems, and usually gives more information about the problem than is set to the client. -E -e Write debug logs to standard error. This could be used for debugging. -f -g -h -i This would be used if the server was run through -k timeout This option is obsolete. It was used with SSH version 1. Its use is strongly discouraged. -o option Overrides any configuration option specified in the configuration file. This could be useful for testing and running multiple servers on different ports. -p port Specifies the port that the server listens on. The default is 22. The port can also be specified in the server configuration file. -q Doesn't send anything to the system log. This is not recommended; the only real use of this option would be for an attacker to hide logins using a backdoor. This option really shouldn't be there. -T Reads the server configuration file, checks its syntax, and exits. This is useful for checking that the configuration file is ok before restarting the server. Checking the configuration file is especially important if updating the configuration remotely. In fact, in such cases it is best to first test the new configuration by running a second server on a new port, and only restart the primary server after a successful login using the test server. This can be combined with the -t Checks the validity of the configuration file and referenced keys. See -u len This obscure option has only one useful purpose: specifying When connecting to an SSH server, it reports a version number to the client. OpenSSH does not provide a documented means for getting the version number of the server. If the server is given the unrecognized sshd
is the OpenSSH server process. It listens to incoming connections using the SSH protocol and acts as the server for the protocol. It handles user authentication, encryption, terminal connections, file transfers, and tunneling.Contents
How to Install SSH Server on Linux
ssh localhost
to test if it is running; if it respons with something like Connection refused
, then it is not running.aptitude install openssh-server
yum install openssh-server
service sshd start
command, or just reboot the computer.Startup and Roles of Different
sshd
processessshd
process is started when the system boots. The program is usually located at /usr/sbin/sshd
. It runs as root. The initial process acts as the master server that listens to incoming connections. Generally this process is the one with the lowest process id or the one that has been running the longest. It is also the parent process of all the other sshd
processes. The following command can be used to display the process tree on Linux, and it is easy to see which one is the parent process.ps axjf
PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND ... 1 2183 2183 2183 ? -1 Ss 0 8:51 /usr/sbin/sshd -D 2183 12496 12496 12496 ? -1 Ss 0 0:00 \_ sshd: cessu [priv] 12496 12567 12496 12496 ? -1 S 15125 24:07 | \_ sshd: cessu 2183 12568 12568 12568 ? -1 Ss 0 0:00 \_ sshd: cessu [priv] 12568 12636 12568 12568 ? -1 S 15125 0:00 | \_ sshd: cessu@pts/2 12636 12637 12637 12637 pts/2 12637 Ss+ 15125 0:00 | \_ -zsh ...
sshd
processes are child processes that serve a single connection. A new process is created for each new SSH session.service sshd restart
. However, care should be taken when upgrading configurations remotely, as errors could prevent connecting to the server again (see below).kill -9 <processid>
command.sshd
processes on the same system. This is very unusual, but we have seen enterprise customers with more than ten servers running simultaneously with different configurations. Each server would need to listen to a different port and usually would have a different configuration file.Configuration File
/etc/sshd/sshd_config
. The configuration file specifies encryption options, authentication options, file locations, logging, and various other parameters. For a detailed description, please the sshd_config documentation.Logging
syslog
and several syslog servers. Many enterprises also collect syslog data into their centralized SIEM (Security Incident and Event Management) system.syslog
is configured to log SSH-related messages by default into files under /var/log/
. On Debian-derived systems, the default log file is usually /var/log/auth.log
. On Red Hat derived systems, the default log file is usually /var/log/secure
.syslog
facility and logging level can be configured in the server configuration file. It is strongly advised to set the logging level to VERBOSE, so that fingerprints for SSH key access get properly logged. Newest OpenSSH versions may log them automatically, but many Linux distributions still come with versions that don't log fingerprints without this setting. See SSH key management for why this is important.Debugging SSH Connection Problems
SSH Client
-v
Option-v
option when calling the client on the command line. For example:ssh -v [user@]host
Connection established
, then the connection was successful.Authenticating to <hostname> as '<username>'
.SSH2_MSG_SERVICE_ACCEPT received
, then encryption negotiation was successful. If not, then the server or client must be reconfigured. An outdated host key on the client could also cause this (use ssh-keygen -R <hostname>
on the client to remove old host key if necessary; see ssh-keygen).Authentications that can continue: <list of methods>
. If the method you are trying to use is not included, you need to change the configuration of the server and restart the server. This is a fairly common cause of problems if using anything other than password or public key authentication.Authentication succeeded
, then it is not an authentication problem. If login fails after this, then it could be a problem with the user's login shell or, e.g., .bashrc
.X11 forwarding
to fail. It is disabled by default in the OpenSSH server. You need to edit the sshd_config
file on the server to have the line X11Forwarding yes
to enable it. It often does not to be enabled on enterprise application servers, but in universities, home environments, and development servers it is usually needed. Again, remember to restart the server.Log Files
Run the Server in Debug Mode
-d
option to get extra verbose output from the server. This is often the last resort when diagnosing connection problems. Usually the cause of authentication failures is quite clearly visible in its output.sshd -d -p 2222
and then the client would connect with ssh -p 2222 [user@]host
.Command-Line Options
connection_spec
Used for testing particular Match
blocks in the configuration file, in combination with the -T
option. The connection_spec
is a comma-separated list of <keyword>=<value>
pairs, where <keyword>
can be one of: user
, host
, laddr
, lport
, addr
. Multiple -C
options are permitted and combined.host_certificate_file
Specifies the path of a file containing the host certificate for the host. The certificate is in OpenSSH's proprietary format.sshd
is run using systemd
. This allows easier monitoring of the process in such environments. Without this option, the SSH server forks and detaches from terminal, making itself a background daemon process. The latter has been the traditional way to run the SSH server until recently. Many embedded systems would still use the latter.log_file
Appends logs to the specified file, instead of sending them to syslog
.config_file
Specifies the path of the server configuration file. By default, /etc/ssh/sshd_config
is used.login_grace
Specifies how quickly users must authenticate themselves after opening a connection to the SSH server. The default is 120 seconds, but this can be changed in the server configuration file. The timeout prevents permanently reserving resources on the server by opening an unauthenticated connection to it.host_key_file
Specifies a file from which to read a host key. The default is to use /etc/ssh/ssh_host_<algorithm>_key
files. Only one host key can be specified for each algorithm.inetd
. However, nobody does it these days.-C
option to test individual Match
blocks in the configuration file.-T
for advise on additional testing before restarting a server remotely.-u0
causes dotted IP addresses to be stored in the utmp
file (which contains information about logins to the server). This disables DNS lookups by the SSH server, if the authentication mechanism or from=
patterns on authorized keys do not require then. Otherwise it would specify the size of an utmp
structure on the host, the cases where it needs to be manually specified are very rare.Getting Version Number of the Installed Server
-v
option, it however reports its version number on the second line of output. This can be very helpful in determining the version number from a shell script.
FAQs
What is the difference between OpenSSH and sshd? ›
sshd is the OpenSSH server process. It listens to incoming connections using the SSH protocol and acts as the server for the protocol. It handles user authentication, encryption, terminal connections, file transfers, and tunneling.
Does sshd need to run as root? ›Even though sshd must run as root (in the usual case), it doesn't need unfettered access to kernel memory, most of the filesystem, most other processes, etc.
Why does SSH have no response? ›Verify that your network supports connectivity over the SSH port being used. Some public networks may block port 22 or custom SSH ports. You can do this by, for example, testing other hosts using the same port with a known working SSH server. This can help you determine if the issue isn't specific to your Droplet.
How to implement SSH server? ›- Step1: Install and enable SSH Server. ...
- Step2: Enable SSH Protocol Version 2. ...
- Step 3: Customize the default SSH port (22) ...
- Step4: Disable root login (SSH) ...
- Step 5: Use ssh keys (Public and Private) ...
- Step 6: Disable X11 Forwarding. ...
- Step 7: Disable Empty Passwords. ...
- Step 8: Set Max Authentication Attempts.
- Egnyte.
- Virtru.
- AWS Key Management Service (KMS)
- HashiCorp Vault.
- Azure Key Vault.
- GnuPG.
- Keyfactor Command.
- Akeyless Platform.
SSH layers
SSH is made up of three layers: transport, user authentication, and connection layers. The transport layer handles the encryption and decryption of the data exchanged. The transport layer also authenticates the server and establishes confidentiality and integrity.
To verify that the Secure Shell Daemon (sshd) is running you need to log in as root to the ESX Server host. Use iLO, Drac, or another management tool to log in directly to the console. Log in to the console as root . Type ps -ef | grep sshd.
Why it is not recommended to use root user? ›The primary reasons are thus: Every hacker / virus knows that there is a root account. If they are blindly attacking a system, it's a known entry point, and very likely to be a target. This is why your root account should have logins disabled.
What is the purpose of sshd in Linux? ›The Secure Shell Daemon application (SSH daemon or sshd) is the daemon program for ssh. This program is an alternative to rlogin and rsh and provides encrypted communications between two untrusted hosts over an insecure network. The sshd is the daemon that listens for connections from clients on port 22.
Why is SSH failing? ›When the SSH connection fails, you won't be able to deploy secure encryption on your site and run more advanced tasks such as remote commands. Usually, this error is caused by a wrong SSH port, incorrect credentials, and a disabled SSH service.
What causes slow SSH connection? ›
The reason most technology security managers face slow SSH connection speeds is because of network issues. This happens because most technology security managers rely on SSH connections for efficient remote management, but a poor network connection can significantly impact the speed and performance of SSH.
Why is my connection refused when I SSH? ›Typos or incorrect credentials are common reasons for a refused SSH connection. This includes errors in the specified username or password, or wrong IP address. Any discrepancies lead to authentication failure and result in the connection being refused.
What is the difference between OpenSSH and SSH? ›SSH (Secure Shell) is a tool for secure system administration, file transfers, and other communication across the Internet or other untrusted network. It encrypts identities, passwords, and transmitted data so that they cannot be eavesdropped and stolen. OpenSSH is an open-source implementation of the SSH protocol.
What is SSH for beginners? ›SSH is a secure protocol used as the primary means of connecting to Linux servers remotely. It provides a text-based interface by spawning a remote shell.
How does SSH work step by step? ›1. The SSH server sends the supported SSH version information to the SSH client through the established connection. 2. After receiving the version information, the SSH client determines the version to be used based on the SSH version it supports and sends the version to the SSH server.
What is the difference between OpenSSH server config and sshd_config? ›sshd_config is the configuration file for the OpenSSH server. ssh_config is the configuration file for the OpenSSH client. Make sure not to get them mixed up. Creating a read-only backup in /etc/ssh means you'll always be able to find a known-good configuration when you need it.
What is the meaning of sshd in SSH? ›The Secure Shell Daemon application (SSH daemon or sshd) is the daemon program for ssh. This program is an alternative to rlogin and rsh and provides encrypted communications between two untrusted hosts over an insecure network.
What is the purpose of OpenSSH? ›SSH (Secure Shell) is a tool for secure system administration, file transfers, and other communication across the Internet or other untrusted network. It encrypts identities, passwords, and transmitted data so that they cannot be eavesdropped and stolen.
Is OpenSSH an SFTP server? ›OpenSSH is a suite of secure networking tools that provides encrypted communication and authentication between hosts. It's one of the most popular implementations of SSH and SFTP.