How to Install OpenSSH on Linux Mint

OpenSSH enables secure remote access to your Linux Mint system through encrypted connections, protecting your commands, file transfers, and authentication credentials from network eavesdropping. Whether you need to administer a headless server, transfer files between machines using SCP or SFTP, or create secure tunnels for other services, OpenSSH provides the foundation for all secure shell operations on Linux.

This guide walks through installing and configuring OpenSSH on Linux Mint, including security hardening with custom ports, key-based authentication, login restrictions, and UFW firewall integration. By the end, you will have a production-ready SSH server accepting secure remote connections with properly configured access controls.

Supported Linux Mint Versions

These instructions apply to Linux Mint 22.x (based on Ubuntu 24.04 LTS) and Linux Mint 21.x (based on Ubuntu 22.04 LTS). The key difference between versions is that Mint 22 uses systemd socket activation for SSH, while Mint 21 runs a traditional persistent daemon. Commands are largely identical, with version-specific differences noted where applicable.

Linux Mint Version	Ubuntu Base	SSH Behavior
Linux Mint 22.x (Wilma, Xia, Zara, Zena)	Ubuntu 24.04 LTS (noble)	Socket-activated (ssh.socket)
Linux Mint 21.x (Vanessa, Vera, Victoria, Virginia)	Ubuntu 22.04 LTS (jammy)	Traditional daemon (ssh.service)

Update System Packages Before SSH Installation

Before installing OpenSSH, update your Linux Mint system to ensure you have the latest security patches and package information. Open a terminal from the applications menu and run the following command:

sudo apt update && sudo apt upgrade

The first part refreshes your package index with the latest available versions, while the second part upgrades any outdated packages. This prevents potential conflicts during the OpenSSH installation and ensures your system has current security updates.

Install OpenSSH Server with APT

Linux Mint includes the SSH client by default, but the server component that accepts incoming connections requires manual installation. First, verify your current OpenSSH client version:

ssh -V

On Linux Mint 22.x:

OpenSSH_9.6p1 Ubuntu-3ubuntu13.14, OpenSSL 3.0.13 30 Jan 2024

On Linux Mint 21.x:

OpenSSH_8.9p1 Ubuntu-3ubuntu0.13, OpenSSL 3.0.2 15 Mar 2022

Next, install the OpenSSH server package to allow your machine to accept incoming SSH connections:

sudo apt install openssh-server

The installation creates SSH host keys, configures the service, and enables it to start automatically on boot. Once installation completes, verify that SSH is running properly.

Verify OpenSSH Installation

The verification command differs between Linux Mint versions due to how the SSH daemon is activated. Linux Mint 22 uses socket-based activation where systemd listens for connections and starts the SSH service on demand, while Linux Mint 21 runs the SSH daemon continuously.

On Linux Mint 22.x (socket-activated):

sudo systemctl status ssh.socket

Expected output showing the socket is active and listening:

● ssh.socket - OpenBSD Secure Shell server socket
     Loaded: loaded (/usr/lib/systemd/system/ssh.socket; enabled; preset: enabled)
     Active: active (listening) since Thu 2026-01-02 10:30:00 UTC
   Triggers: ● ssh.service
     Listen: 0.0.0.0:22 (Stream)
             [::]:22 (Stream)

On socket-activated systems, ssh.service appears inactive until the first SSH connection triggers it. This behavior is normal because the socket handles listening and starts the service on demand. You only need to investigate if the socket itself shows as inactive.

On Linux Mint 21.x (traditional daemon):

sudo systemctl status ssh

Expected output showing the service is running:

● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; preset: enabled)
     Active: active (running) since Thu 2026-01-02 10:30:00 UTC
   Main PID: 1234 (sshd)
      Tasks: 1 (limit: 4096)
     Memory: 2.5M

Configure OpenSSH for Enhanced Security

The default OpenSSH configuration provides reasonable security, but production environments benefit from additional hardening. The primary configuration file at /etc/ssh/sshd_config controls all server behavior. Open it with your preferred text editor:

sudo nano /etc/ssh/sshd_config

Make all desired changes from the sections below before saving. After completing modifications, always test the configuration syntax before restarting SSH:

sudo sshd -t

If the command returns no output, the configuration is valid. If there are errors, SSH displays the line number and problem so you can fix it before applying changes. This step prevents locking yourself out with a broken configuration.

Disable Root Login

Preventing direct root login via SSH forces attackers to compromise a regular user account before attempting privilege escalation, adding a critical security layer. Before making this change, ensure you have a non-root user account with sudo privileges on Linux Mint to avoid locking yourself out of the server.

Locate the PermitRootLogin directive in your configuration file. The default line is commented:

#PermitRootLogin prohibit-password

Uncomment and change it to:

PermitRootLogin no

This modification completely prevents the root user from logging in over SSH, regardless of authentication method.

Restrict Access to Specific Users

By default, OpenSSH permits remote access to all users on your system. To limit SSH access to specific accounts, add the AllowUsers directive at the end of the configuration file:

AllowUsers your_username

Replace your_username with your actual username. For multiple users, separate them with spaces:

AllowUsers alice bob deploy

This setting explicitly defines who can access your system via SSH, denying all other accounts even if they have valid passwords.

Enable Key-Based Authentication

Key-based authentication provides stronger security than passwords by using cryptographic key pairs instead of transmitted secrets. This method eliminates password brute-force attacks entirely.

Before disabling password authentication, generate a key pair on your client machine (the computer you connect from) and copy the public key to your server. Use the modern Ed25519 algorithm:

ssh-keygen -t ed25519

The command prompts you for a file location and optional passphrase:

Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_ed25519
Your public key has been saved in /home/user/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx user@hostname

Press Enter to accept the default file path (~/.ssh/id_ed25519) and set a strong passphrase when prompted. Then copy the public key to your Linux Mint server:

ssh-copy-id username@your_server_ip

After verifying you can log in with your key (test this in a separate session before proceeding), disable password authentication by locating and modifying these directives in sshd_config:

PasswordAuthentication no
KbdInteractiveAuthentication no

Keep an existing SSH session open while testing key authentication in a new terminal. If key-based login fails, you can still access the server through the original session to fix the configuration.

Limit Authentication Attempts

Restricting failed login attempts per connection mitigates brute-force attacks by disconnecting clients after too many failures. Locate the MaxAuthTries directive and set a reasonable limit:

MaxAuthTries 3

This setting limits the number of authentication attempts per connection to three. Combined with Fail2ban (which monitors authentication logs and bans repeat offenders), this provides robust protection against password guessing attacks.

Change the Default SSH Port

Changing the default SSH port from 22 reduces automated attack attempts targeting the standard port. While security through obscurity alone is insufficient, combining a non-standard port with other hardening measures significantly reduces log noise from automated scanners.

Locate the Port directive and set a custom port number between 1024 and 65535:

Port 2222

Before restarting SSH with a new port, update your firewall rules to allow the new port. Otherwise, you will lock yourself out of remote sessions. Add the new port rule first, test the connection, then remove the old port 22 rule.

Apply Configuration Changes

After making all desired changes, save the file (in nano, press Ctrl+O, then Enter, then Ctrl+X to exit). Then apply the configuration changes using the appropriate commands for your Linux Mint version.

On Linux Mint 22.x (socket-activated):

For Port or ListenAddress changes, the socket configuration must be regenerated:

sudo systemctl daemon-reload
sudo systemctl restart ssh.socket

The daemon-reload triggers the systemd generator that reads the new port from sshd_config and updates the socket configuration. For authentication-only changes (root login, MaxAuthTries, password settings), restart the service instead:

sudo systemctl restart ssh

On Linux Mint 21.x (traditional daemon):

sudo systemctl restart ssh

Verify the service is listening on the correct port:

sudo ss -tlnp | grep ssh

Expected output for a custom port (2222 in this example):

LISTEN 0      4096         0.0.0.0:2222       0.0.0.0:*    users:(("sshd",pid=1234,fd=3))
LISTEN 0      4096            [::]:2222          [::]:*    users:(("sshd",pid=1234,fd=4))

Configure UFW Firewall for SSH

The Uncomplicated Firewall (UFW) provides straightforward firewall management on Linux Mint. Configuring UFW rules ensures only authorized traffic reaches your SSH service while blocking unwanted connection attempts.

Install and Enable UFW

If UFW is not already installed, add it with APT:

sudo apt install ufw

Before enabling UFW, always add an SSH allow rule first. Enabling UFW without an SSH rule will lock you out of remote sessions immediately. This is the most common firewall-related lockout scenario.

Allow SSH connections on the default port:

sudo ufw allow ssh

If you configured a custom SSH port, use the port number instead:

sudo ufw allow 2222/tcp

Now enable UFW:

sudo ufw enable

Expected output:

Firewall is active and enabled on system startup

Verify and Manage Firewall Rules

Check the current firewall status and rules:

sudo ufw status numbered

Expected output showing SSH rules with numbered entries:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 22/tcp (v6)                ALLOW IN    Anywhere (v6)

To restrict SSH access to a specific IP address (useful for servers accessed from a known location):

sudo ufw allow from 192.168.1.100 to any port 22

Replace 192.168.1.100 with the IP address you want to grant access.

To delete a rule, use its number from the status output:

sudo ufw delete 1

UFW prompts for confirmation before removing the rule. Always verify your SSH access rule remains in place before disconnecting from an active session.

Connect to Remote Machines Using SSH

With OpenSSH installed and configured, you can now connect to remote systems. The following commands work from any machine with an SSH client installed, including your Linux Mint workstation.

Establish a Basic SSH Connection

Connect to a remote server using the standard SSH command syntax:

ssh username@server_ip

Replace username with your account on the remote machine and server_ip with the server’s IP address or hostname. For servers using a non-standard SSH port:

ssh -p 2222 username@server_ip

The -p flag specifies the port number configured on the remote server.

Connect with a Specific Key File

If you have multiple SSH keys or need to specify a particular key file:

ssh -i ~/.ssh/id_ed25519 username@server_ip

The -i flag specifies the private key file to use for authentication.

Transfer Files with SCP

Secure Copy Protocol (SCP) transfers files over SSH. To copy a local file to a remote server:

scp /path/to/local/file username@server_ip:/remote/directory/

To copy a file from the remote server to your local machine:

scp username@server_ip:/path/to/remote/file /local/directory/

For recursive directory transfers, add the -r flag:

scp -r /local/directory username@server_ip:/remote/path/

For servers using a custom SSH port, use the uppercase -P flag (note the difference from SSH’s lowercase -p):

scp -P 2222 file.txt username@server_ip:/remote/path/

Execute Commands Remotely

Run a single command on a remote server without entering an interactive session:

ssh username@server_ip 'df -h'

This executes df -h on the remote server and displays the output locally. The connection closes automatically after the command completes.

Create SSH Tunnels for Port Forwarding

SSH tunneling creates encrypted connections between local and remote ports, useful for accessing services that aren’t directly exposed to the network:

ssh -L 8080:localhost:80 username@server_ip

This command forwards local port 8080 to port 80 on the remote server. After connecting, you can access the remote service at http://localhost:8080 in your browser.

Understand SSH Host Key Fingerprints

SSH fingerprints protect against man-in-the-middle attacks by verifying the server’s identity. When you first connect to a server, SSH displays the host key fingerprint and asks you to verify it:

The authenticity of host 'server_ip (192.168.1.50)' can't be established.
ED25519 key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Before accepting, verify the fingerprint matches the server’s actual key by checking through a separate, trusted channel (direct console access, administrator confirmation, or documented fingerprint). To view your server’s SSH fingerprint:

ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub

Expected output showing the fingerprint you should verify:

256 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx root@hostname (ED25519)

Once accepted, the fingerprint is stored in ~/.ssh/known_hosts. If the server’s fingerprint ever changes (which could indicate a man-in-the-middle attack or legitimate server reinstallation), SSH displays a prominent warning and refuses to connect until you investigate and update the stored fingerprint.

To view stored fingerprints:

cat ~/.ssh/known_hosts

Troubleshoot SSH Connection Issues

When SSH connections fail, systematic troubleshooting helps identify the root cause quickly. Start with the service status, then check network connectivity and authentication.

Connection Refused Error

If you receive “Connection refused” when connecting:

ssh: connect to host 192.168.1.50 port 22: Connection refused

This indicates the SSH service is not running or the firewall is blocking the port. First, verify SSH is listening:

sudo ss -tlnp | grep :22

If no output appears, start the SSH service:

On Linux Mint 22.x:

sudo systemctl start ssh.socket

On Linux Mint 21.x:

sudo systemctl start ssh

If SSH is running but connections still fail, check UFW:

sudo ufw status
sudo ufw allow ssh

Permission Denied (Publickey) Error

This error appears when key-based authentication fails:

Permission denied (publickey).

Verify your key permissions on the client machine. Private keys must be readable only by you:

ls -la ~/.ssh/

Expected permissions:

drwx------  2 user user 4096 Jan  2 10:00 .
-rw-------  1 user user  419 Jan  2 10:00 id_ed25519
-rw-r--r--  1 user user  105 Jan  2 10:00 id_ed25519.pub

Fix incorrect permissions using chmod:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub

On the server, check that your public key exists in ~/.ssh/authorized_keys and that the directory has correct permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Review Authentication Logs

Check the server’s authentication log for detailed error messages. The tail command shows the most recent entries:

sudo tail -50 /var/log/auth.log | grep ssh

Common log entries and their meanings:

Failed password for user from 192.168.1.50 port 54321 ssh2

This indicates incorrect password attempts. If you see many failed attempts from unknown IPs, consider installing Fail2ban to automatically block repeat offenders.

Host Key Verification Failed

If the server’s host key changed (or you reinstalled the server), SSH refuses to connect:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

If you know the key change is legitimate (server reinstall, new SSH keys), remove the old entry:

ssh-keygen -R server_ip

Then reconnect and verify the new fingerprint through a trusted channel before accepting.

Remove OpenSSH from Linux Mint

If you no longer need the SSH server, remove the packages and clean up configuration files.

Uninstall OpenSSH Server

Remove the OpenSSH server package while keeping the client for outbound connections:

sudo apt remove openssh-server

To remove the package along with its configuration files:

sudo apt purge openssh-server

Remove orphaned dependencies that were installed alongside OpenSSH:

sudo apt autoremove

Remove SSH Configuration and Keys

To remove only the server host keys (preserves your custom sshd_config if you kept it):

sudo rm /etc/ssh/ssh_host_*

For a complete reset, remove all system-wide SSH configuration:

This command permanently deletes the entire /etc/ssh directory, including sshd_config and all host keys. Back up any custom configurations before proceeding. If you reinstall OpenSSH later, new host keys will be generated and clients that previously connected will need to accept the new fingerprint.

sudo rm -rf /etc/ssh

Remove UFW SSH Rules

If you added firewall rules for SSH, remove them:

sudo ufw delete allow ssh

If you used a custom port:

sudo ufw delete allow 2222/tcp

Verify Removal

Confirm OpenSSH is no longer installed:

dpkg -l | grep openssh

If the package was properly purged, this command returns no output. If you see entries marked rc (removed but config files remain), run the purge command again to complete removal.

Conclusion

OpenSSH provides the foundation for secure remote access to your Linux Mint system through encrypted connections. This guide covered server installation, security hardening with disabled root login, login attempt limits, key-based authentication, and UFW firewall configuration. Linux Mint 22 uses socket-based activation requiring daemon reloads and socket restarts for port changes, while Linux Mint 21 uses traditional service restarts. Your Linux Mint system now accepts hardened SSH connections for secure administration, file transfers via SCP, and remote command execution.

Relevant Links

Explore the following resources for additional information about OpenSSH.

• OpenSSH Official Website: Comprehensive details about OpenSSH features and security updates.
• OpenSSH Portable GitHub Repository: Source code, development updates, and contribution opportunities.
• Official OpenSSH Manual: In-depth documentation for sshd, ssh, scp, and related tools.