1
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3
<html xmlns="http://www.w3.org/1999/xhtml">
4
<head xmlns="http://www.w3.org/1999/xhtml">
5
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
6
<title xmlns="">OpenSSH Server</title>
7
<link rel="stylesheet" href="../../libs/ubuntu-book.css" type="text/css" />
8
<link rel="home" href="index.html" title="Ubuntu Server Guide" />
9
<link rel="up" href="remote-administration.html" title="Chapter 5. Remote Administration" />
10
<link rel="prev" href="remote-administration.html" title="Chapter 5. Remote Administration" />
11
<link rel="next" href="puppet.html" title="Puppet" />
12
<link rel="copyright" href="legal.html" title="Credits and License" />
16
<img id="topcap" alt="" src="https://help.ubuntu.com/htdocs/ubuntunew/img/cap-top.png" />
17
<div id="layout" class="container clear-block">
18
<script xmlns="" src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script>
19
<script xmlns="" type="text/javascript">
20
_uacct = "UA-1018242-8";
24
<div id="logo-floater">
26
<a href="https://help.ubuntu.com" title="Ubuntu Documentation">
27
<img alt="Ubuntu" id="logo" src="https://help.ubuntu.com/htdocs/ubuntunew/img/logo.png" />
32
<form action="http://www.google.com/cse" id="cse-search-box">
34
<input type="hidden" name="cx" value="003883529982892832976:e2vwumte3fq" />
35
<input type="hidden" name="ie" value="UTF-8" />
36
<input type="text" name="q" size="27" />
37
<input type="submit" name="sa" value="Search" />
42
document.write('<form action="https://help.ubuntu.com/search.html" id="cse-search-box">');
43
document.write(' <div>');
44
document.write(' <input type="hidden" name="cof" value="FORID:9" />');
45
document.write(' <input type="hidden" name="cx" value="003883529982892832976:e2vwumte3fq" />');
46
document.write(' <input type="hidden" name="ie" value="UTF-8" />');
47
document.write(' <input type="text" name="q" size="27" />');
48
document.write(' <input type="submit" name="sa" value="Search" />');
49
document.write(' </div>');
50
document.write('</form>');
53
<a href="https://help.ubuntu.com/">
54
<img alt="Official Documentation" src="https://help.ubuntu.com/htdocs/ubuntunew/img/help-about.png" />
55
<span>Official Documentation</span>
61
<div class="breadcrumbs"><a href="https://help.ubuntu.com/">Ubuntu Documentation</a> > <a href="https://help.ubuntu.com/11.04">Ubuntu 11.04</a> > <span class="breadcrumb-link"><a href="index.html">Ubuntu Server Guide</a></span> > <span class="breadcrumb-link"><a href="remote-administration.html">Remote Administration</a></span> > <span class="breadcrumb-node">OpenSSH Server</span></div>
62
<div xmlns="http://www.w3.org/1999/xhtml" class="sect1" title="OpenSSH Server">
63
<div class="titlepage">
66
<h2 class="title" style="clear: both"><a id="openssh-server"></a>OpenSSH Server</h2>
70
<div class="sect2" title="Introduction">
71
<div class="titlepage">
74
<h3 class="title"><a id="openssh-introduction"></a>Introduction</h3>
79
This section of the Ubuntu Server Guide introduces a powerful collection of tools
80
for the remote control of networked computers and transfer of data between
81
networked computers, called <span class="emphasis"><em>OpenSSH</em></span>. You will also learn
82
about some of the configuration settings possible with the OpenSSH server
83
application and how to change them on your Ubuntu system.
86
OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of
87
tools for remotely controlling a computer or transferring files between computers.
88
Traditional tools used to accomplish these functions, such as
89
<span class="application"><strong>telnet</strong></span> or <span class="application"><strong>rcp</strong></span>, are insecure
90
and transmit the user's password in cleartext when used. OpenSSH provides a server
91
daemon and client tools to facilitate secure, encrypted remote control and file
92
transfer operations, effectively replacing the legacy tools.
95
The OpenSSH server component, <span class="application"><strong>sshd</strong></span>, listens
96
continuously for client connections from any of the client tools. When a connection
97
request occurs, <span class="application"><strong>sshd</strong></span> sets up the correct connection
98
depending on the type of client tool connecting. For example, if the remote
99
computer is connecting with the <span class="application"><strong>ssh</strong></span> client application,
100
the OpenSSH server sets up a remote control session after authentication. If a
101
remote user connects to an OpenSSH server with <span class="application"><strong>scp</strong></span>, the
102
OpenSSH server daemon initiates a secure copy of files between the server and
103
client after authentication. OpenSSH can use many authentication methods, including plain password, public key, and <span class="application"><strong>Kerberos</strong></span> tickets.
106
<div class="sect2" title="Installation">
107
<div class="titlepage">
110
<h3 class="title"><a id="openssh-installation"></a>Installation</h3>
115
Installation of the OpenSSH client and server applications is simple. To install the
116
OpenSSH client applications on your Ubuntu system, use this command at a terminal
120
<span class="command"><strong>sudo apt-get install openssh-client</strong></span>
123
To install the OpenSSH server application, and related support files, use this command
124
at a terminal prompt:
127
<span class="command"><strong>sudo apt-get install openssh-server</strong></span>
130
The <span class="application"><strong>openssh-server</strong></span> package can also be selected to
131
install during the Server Edition installation process.
134
<div class="sect2" title="Configuration">
135
<div class="titlepage">
138
<h3 class="title"><a id="openssh-configuration"></a>Configuration</h3>
143
You may configure the default behavior of the OpenSSH server application,
144
<span class="application"><strong>sshd</strong></span>, by editing the file
145
<code class="filename">/etc/ssh/sshd_config</code>. For information about the configuration
146
directives used in this file, you may view the appropriate manual page with the
147
following command, issued at a terminal prompt:
150
<span class="command"><strong>man sshd_config</strong></span>
153
There are many directives in the <span class="application"><strong>sshd</strong></span> configuration
154
file controlling such things as communication settings and authentication modes.
155
The following are examples of configuration directives that can be changed by
156
editing the <code class="filename">/etc/ssh/sshd_config</code> file.
158
<div class="tip" title="Tip" style="margin-left: 0.5in; margin-right: 0.5in;">
159
<table border="0" summary="Tip">
161
<td rowspan="2" align="center" valign="top" width="25">
162
<img alt="[Tip]" src="../../libs/admon/tip.png" />
164
<th align="left"></th>
167
<td align="left" valign="top">
168
<p>Prior to editing the configuration file, you should make a copy of the
169
original file and protect it from writing so you will have the original
170
settings as a reference and to reuse as necessary.
172
<p>Copy the <code class="filename">/etc/ssh/sshd_config</code> file and protect it
173
from writing with the following commands, issued at a terminal prompt:
180
<span class="command"><strong>sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original</strong></span>
181
<span class="command"><strong>sudo chmod a-w /etc/ssh/sshd_config.original</strong></span>
184
The following are examples of configuration directives you may change:
186
<div class="itemizedlist">
187
<ul class="itemizedlist" type="disc">
188
<li class="listitem">
190
To set your OpenSSH to listen on TCP port 2222 instead of the default TCP port
191
22, change the Port directive as such:
197
<li class="listitem">
199
To have <span class="application"><strong>sshd</strong></span> allow public key-based login credentials,
200
simply add or modify the line:
203
PubkeyAuthentication yes
206
In the <code class="filename">/etc/ssh/sshd_config</code> file, or if already present,
207
ensure the line is not commented out.
210
<li class="listitem">
212
To make your OpenSSH server display the contents of the
213
<code class="filename">/etc/issue.net</code> file as a pre-login
214
banner, simply add or modify the line:
217
Banner /etc/issue.net
220
In the <code class="filename">/etc/ssh/sshd_config</code> file.
226
After making changes to the <code class="filename">/etc/ssh/sshd_config</code> file, save
227
the file, and restart the <span class="application"><strong>sshd</strong></span> server application to
228
effect the changes using the following command at a terminal prompt:
231
<span class="command"><strong>sudo /etc/init.d/ssh restart</strong></span>
233
<div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;">
234
<table border="0" summary="Warning">
236
<td rowspan="2" align="center" valign="top" width="25">
237
<img alt="[Warning]" src="../../libs/admon/warning.png" />
239
<th align="left"></th>
242
<td align="left" valign="top">
244
Many other configuration directives for <span class="application"><strong>sshd</strong></span> are
245
available for changing the server application's behavior to fit your needs.
246
Be advised, however, if your only method of access to a server is
247
<span class="application"><strong>ssh</strong></span>, and you make a mistake in configuring
248
<span class="application"><strong>sshd</strong></span> via the
249
<code class="filename">/etc/ssh/sshd_config</code> file, you may find you
250
are locked out of the server upon restarting it, or that the
251
<span class="application"><strong>sshd</strong></span> server refuses to start due to an incorrect
252
configuration directive, so be extra careful when editing this file on a
260
<div class="sect2" title="SSH Keys">
261
<div class="titlepage">
264
<h3 class="title"><a id="openssh-keys"></a>SSH Keys</h3>
269
SSH <span class="emphasis"><em>keys</em></span> allow authentication between two hosts without the need of a password. SSH key authentication
270
uses two keys a <span class="emphasis"><em>private</em></span> key and a <span class="emphasis"><em>public</em></span> key.
273
To generate the keys, from a terminal prompt enter:
276
<span class="command"><strong>ssh-keygen -t dsa</strong></span>
279
This will generate the keys using a <span class="emphasis"><em>DSA</em></span> authentication identity of the user. During the process you
280
will be prompted for a password. Simply hit <span class="emphasis"><em>Enter</em></span> when prompted to create the key.
283
By default the <span class="emphasis"><em>public</em></span> key is saved in the file <code class="filename">~/.ssh/id_dsa.pub</code>, while
284
<code class="filename">~/.ssh/id_dsa</code> is the <span class="emphasis"><em>private</em></span> key. Now copy the <code class="filename">id_dsa.pub</code> file
285
to the remote host and append it to <code class="filename">~/.ssh/authorized_keys</code> by entering:
288
<span class="command"><strong>ssh-copy-id username@remotehost</strong></span>
291
Finally, double check the permissions on the <code class="filename">authorized_keys</code> file, only the authenticated user should have read and write permissions.
292
If the permissions are not correct change them by:
295
<span class="command"><strong>chmod 600 .ssh/authorized_keys</strong></span>
298
You should now be able to SSH to the host without being prompted for a password.
301
<div class="sect2" title="References">
302
<div class="titlepage">
305
<h3 class="title"><a id="openssh-references"></a>References</h3>
309
<div class="itemizedlist">
310
<ul class="itemizedlist" type="disc">
311
<li class="listitem">
313
<a class="ulink" href="https://help.ubuntu.com/community/SSH" target="_top">Ubuntu Wiki SSH</a> page.
316
<li class="listitem">
318
<a class="ulink" href="http://www.openssh.org/" target="_top">OpenSSH Website</a>
321
<li class="listitem">
323
<a class="ulink" href="https://wiki.ubuntu.com/AdvancedOpenSSH" target="_top">Advanced OpenSSH Wiki Page</a>
331
<div xmlns="http://www.w3.org/1999/xhtml" class="navfooter">
333
<table width="100%" summary="Navigation footer">
335
<td width="40%" align="left"><a accesskey="p" href="remote-administration.html"><img src="../../libs/navig/prev.png" alt="Prev" /></a> </td>
336
<td width="20%" align="center">
337
<a accesskey="u" href="remote-administration.html">
338
<img src="../../libs/navig/up.png" alt="Up" />
341
<td width="40%" align="right"> <a accesskey="n" href="puppet.html"><img src="../../libs/navig/next.png" alt="Next" /></a></td>
344
<td width="40%" align="left" valign="top">Chapter 5. Remote Administration </td>
345
<td width="20%" align="center">
346
<a accesskey="h" href="index.html">
347
<img src="../../libs/navig/home.png" alt="Home" />
350
<td width="40%" align="right" valign="top"> Puppet</td>
356
<div id="ubuntulinks">
357
<p>The material in this document is available under a free license, see <a href="/legal.html">Legal</a> for details<br />
358
For information on contributing see the <a href="https://wiki.ubuntu.com/DocumentationTeam">Ubuntu Documentation Team wiki page</a>. To report a problem, visit the <a href="https://bugs.launchpad.net/ubuntu/+source/ubuntu-docs">bug page for Ubuntu Documentation</a></p>
362
<img src="https://help.ubuntu.com/htdocs/ubuntunew/img/cap-bottom.png" alt="" />