openssh-server
Enable secure remote access to the system
SYNOPSIS
sshd [-deDqtv] [-f config_file] [-h host_key_file] [-i] [-p port] [-o option]
PARAMETERS
-d
Debug mode. The server will not detach and will log to standard error. Implies -D.
-e
Log to standard error instead of syslog. Often used with -d.
-D
When started, the server will not detach and become a daemon. Useful for running sshd under a process supervisor like systemd.
-f config_file
Specifies an alternative configuration file to use instead of the default /etc/ssh/sshd_config.
-h host_key_file
Specifies a file from which a host key is read. This option may be specified multiple times for different host key types.
-i
Used by inetd; indicates that sshd is run from inetd. (Less common in modern systems).
-p port
Specifies the port number that sshd listens on. The default is 22.
-t
Test configuration file. sshd will check the validity of the configuration file and exit. This is very useful before restarting the service.
-q
Quiet mode. Causes sshd to suppress all warning and diagnostic messages.
-v
Verbose mode. Causes sshd to print debugging messages about its progress. This is helpful for debugging connection, authentication, and configuration problems. Multiple -v options increase the verbosity.
DESCRIPTION
OpenSSH-server is the server component of the OpenSSH suite of tools, providing secure encrypted communication over untrusted networks. It enables remote login, command execution, and secure file transfers (via SCP and SFTP). The core executable is sshd, which runs as a background daemon, listening for incoming connections, typically on port 22. It authenticates connecting clients using various methods, including password, public key, and GSSAPI authentication, ensuring that only authorized users can access the system. OpenSSH-server replaces insecure protocols like Telnet, rlogin, and FTP, offering robust security features like strong encryption (e.g., AES, ChaCha20-Poly1305), data integrity checks, and protection against various network attacks. It is an indispensable tool for system administrators and developers to manage servers, deploy applications, and securely transfer data across the internet.
The server's behavior is highly configurable through the sshd_config file, allowing administrators to define listening ports, authentication methods, authorized users, and various security policies, making it a cornerstone for secure remote administration on Linux and Unix-like operating systems.
CAVEATS
Opening port 22 (or any other port for SSH) to the internet poses security risks. It is crucial to:
1. Secure authentication: Prefer public key authentication over password authentication. If using passwords, ensure they are strong.
2. Limit access: Use firewall rules to restrict access to known IP addresses or networks.
3. Disable root login: Prevent direct root login.
4. Use Fail2Ban: Implement tools like Fail2Ban to mitigate brute-force attacks.
5. Keep software updated: Regularly update OpenSSH-server to patch known vulnerabilities.
6. Review logs: Monitor SSH logs for suspicious activity. Misconfiguration can lead to severe security vulnerabilities or lock you out of your system.
CONFIGURATION FILE
The primary configuration for OpenSSH-server is located at /etc/ssh/sshd_config. This plain-text file controls almost every aspect of the server's behavior, including listening address and port, authentication methods (e.g., PasswordAuthentication, PubkeyAuthentication), logging levels, allowed users/groups (AllowUsers, AllowGroups), and security parameters. After modifying this file, the sshd service must be restarted (or reloaded) for changes to take effect.
SERVICE MANAGEMENT
On most modern Linux distributions (those using systemd), OpenSSH-server (the sshd service) is managed using the systemctl command. Common commands include:
sudo systemctl start sshd: Starts the SSH daemon.
sudo systemctl stop sshd: Stops the SSH daemon.
sudo systemctl restart sshd: Restarts the SSH daemon (applies configuration changes).
sudo systemctl reload sshd: Reloads the SSH configuration without dropping active connections.
sudo systemctl status sshd: Checks the current status of the SSH daemon.
sudo systemctl enable sshd: Enables the SSH daemon to start on boot.
AUTHENTICATION METHODS
OpenSSH-server supports several authentication methods:
1. Password Authentication: Users provide their system password. Less secure against brute-force attacks.
2. Public Key Authentication: The most recommended method. Users generate a key pair (public and private). The public key is placed on the server (in ~/.ssh/authorized_keys), and the private key is kept by the client. This method is more secure and convenient.
3. Keyboard-Interactive Authentication: A more flexible form of password authentication, often used for multi-factor authentication (e.g., prompting for an OTP).
4. GSSAPI Authentication: Used in environments with Kerberos or other GSSAPI mechanisms.
HISTORY
SSH (Secure Shell) was originally designed in 1995 by Tatu Ylönen to replace older, insecure protocols like Telnet, rsh, and rlogin. The initial commercial version was widely adopted. In 1999, frustrated by the licensing terms of the commercial version, developers from the OpenBSD project created OpenSSH, a free and open-source implementation. OpenSSH-server, the daemon component of this suite, quickly became the de-facto standard for secure remote access on Unix-like operating systems due to its robust security, active development, and open-source nature. It has been continually refined, adding features like stronger encryption algorithms, improved authentication methods, and better performance, making it an essential component of modern networked systems.
SEE ALSO
ssh(1), scp(1), sftp(1), ssh-keygen(1), ssh-copy-id(1), sshd_config(5), ssh_config(5), systemctl(1), firewalld(8), ufw(8), passwd(1)