How to Install SSH on Linux Mint 22 and 21

A Linux Mint system is easier to administer once SSH is installed, listening, and limited to the accounts, keys, and firewall rules you intend to allow. To install SSH on Linux Mint, add the openssh-server package; the OpenSSH client tools already handle outbound ssh, scp, and sftp connections on standard Mint systems.

The install uses Mint’s default APT packages, but the service check depends on the release. Linux Mint 22.x uses ssh.socket for incoming connections, while Linux Mint 21.x manages the persistent ssh.service daemon directly.

Install and Enable SSH on Linux Mint

These steps apply to Linux Mint 22.x and 21.x. The package name stays the same on both releases, but Mint 22 uses systemd socket activation for incoming SSH connections while Mint 21 runs a persistent SSH daemon, so verification and restart checks differ slightly.

Linux Mint Version	Ubuntu Base	SSH Service Behavior
Linux Mint 22.x (Wilma, Xia, Zara, Zena)	Ubuntu 24.04 LTS (noble)	Socket-activated with ssh.socket
Linux Mint 21.x (Vanessa, Vera, Victoria, Virginia)	Ubuntu 22.04 LTS (jammy)	Traditional daemon with ssh.service

Update Linux Mint Before Installing SSH

Refresh the package index and install any pending security fixes before you add the SSH server package.

sudo apt update && sudo apt upgrade

If your account cannot use sudo yet, set that up first with create and add users to sudoers on Linux Mint before you continue with the SSH server steps.

apt update refreshes the package index, and apt upgrade installs any pending updates that could otherwise get in the way of the SSH setup.

Install the SSH Server Package with APT

Install openssh-server when this Mint machine should accept inbound SSH logins. Do not look for a separate sshd package; sshd is the daemon binary provided by the server package.

sudo apt install openssh-server

The installation creates SSH host keys, installs the SFTP server component, and enables the release-appropriate systemd unit. Manage the service as ssh.socket on Mint 22.x and ssh.service on Mint 21.x; sshd.service is not the primary unit name for this Mint workflow.

Verify SSH on Linux Mint 22.x

On Linux Mint 22.x, verify the socket first. A connected or recently restarted system can also show ssh.service as active, but the socket is the listener that must stay enabled for inbound connections.

systemctl is-active ssh.socket
systemctl is-enabled ssh.socket

Expected output:

active
enabled

Confirm that systemd is listening on the SSH port:

ss -H -tln 'sport = :22'

Relevant output includes both IPv4 and IPv6 listeners on port 22:

LISTEN 0      4096   0.0.0.0:22 0.0.0.0:*
LISTEN 0      4096      [::]:22    [::]:*

Verify SSH on Linux Mint 21.x

On Linux Mint 21.x, the traditional service unit should be active and enabled:

systemctl is-active ssh.service
systemctl is-enabled ssh.service

Expected output:

active
enabled

Confirm the daemon is listening on port 22:

ss -H -tln 'sport = :22'

Relevant output includes:

LISTEN 0      128    0.0.0.0:22 0.0.0.0:*
LISTEN 0      128       [::]:22    [::]:*

Test a Local SSH Login on Linux Mint

A quick localhost test confirms that SSH is enabled on the Mint machine before you move on to another client.

ssh localhost

On the first connection, OpenSSH prompts you to accept the host key and then asks for your account password if password login is still enabled.

After you accept the host key and authenticate successfully, type exit to close the test session.

Configure SSH Security Settings on Linux Mint

Treat the SSH server configuration as remote-access policy. The primary file, /etc/ssh/sshd_config, controls who can log in and which authentication methods are accepted. On Mint 21.x it also controls the listener port directly; on Mint 22.x, the socket unit can own that listener.

Open the file with an editor that preserves plain text configuration:

sudo nano /etc/ssh/sshd_config

Test the configuration syntax before restarting SSH. The full path avoids shell-path differences for normal users:

sudo /usr/sbin/sshd -t

No output means the syntax check passed. If the command reports a file and line number, fix that error before applying changes so a broken configuration does not lock out remote access.

Disable Root SSH Login

Preventing direct root login over SSH keeps administration tied to named user accounts. Before making this change, confirm that at least one regular account on the system can already use sudo.

Locate the PermitRootLogin directive in your configuration file. The default line is commented:

#PermitRootLogin prohibit-password

Uncomment and change it to:

PermitRootLogin no

This setting prevents the root user from logging in over SSH, regardless of authentication method.

Restrict SSH Access to Specific Users

By default, OpenSSH permits remote access to local accounts that can authenticate successfully. To limit SSH access to specific accounts, add the AllowUsers directive at the end of the configuration file:

AllowUsers your_username

Replace your_username with your actual username. For multiple users, separate them with spaces:

AllowUsers alice bob deploy

This setting explicitly defines who can access your system via SSH, denying all other accounts even if they have valid passwords.

Enable SSH Key-Based Authentication

Key-based authentication reduces password-guessing exposure by requiring a private key on the client and a matching public key on the Mint system.

Before disabling password authentication, generate a key pair on your client machine and copy the public key to your Mint system. Ed25519 is a good default for new keys:

ssh-keygen -t ed25519

Press Enter to accept the default file path, ~/.ssh/id_ed25519, and set a strong passphrase when prompted. Then copy the public key to your Linux Mint system:

ssh-copy-id username@your_server_ip

After verifying key login in a separate terminal, disable password authentication by locating or adding these directives in sshd_config:

PasswordAuthentication no
KbdInteractiveAuthentication no

Keep an existing SSH session open while testing key authentication in a new terminal. If key-based login fails, you can still access the server through the original session to fix the configuration.

Limit SSH Authentication Attempts

Restricting failed login attempts per connection disconnects clients after too many authentication failures. Locate the MaxAuthTries directive and set a reasonable limit:

MaxAuthTries 3

This setting limits authentication attempts per connection to three. Pair it with a log-based blocker such as Fail2Ban if the system accepts SSH from networks you do not fully control.

Change the Default SSH Port

Changing the default SSH port from 22 can reduce automated scanner noise, but it is not a substitute for keys, account restrictions, or a correct firewall rule.

On Linux Mint 21.x, the persistent SSH service reads the port from sshd_config. Locate the Port directive and set a custom port number between 1024 and 65535:

Port 2222

On Linux Mint 22.x, ssh.socket owns the listening port. Change the systemd socket listener instead of relying only on Port in sshd_config:

sudo systemctl edit ssh.socket

Add this override, replacing 2222 with your chosen port. The blank ListenStream= line clears the default port 22 listeners before adding the new IPv4 and IPv6 listeners.

[Socket]
ListenStream=
ListenStream=0.0.0.0:2222
ListenStream=[::]:2222

Before restarting SSH with a new port, update your firewall rules to allow the new port. Otherwise, you will lock yourself out of remote sessions. Add the new port rule first, test the connection, then remove the old port 22 rule.

Apply SSH Configuration Changes on Linux Mint

After saving sshd_config changes or a systemd socket override, apply the matching restart path for your Mint release. Run sudo /usr/sbin/sshd -t before service restarts when you changed sshd_config. Keep your current SSH session open and test a new login before disconnecting.

On Linux Mint 22.x (socket-activated):

If you changed the socket listener, reload systemd and restart ssh.socket so the listener picks up the new port:

sudo systemctl daemon-reload
sudo systemctl restart ssh.socket

For authentication-only changes such as root login, password authentication, or MaxAuthTries, restart the service after the syntax check passes:

sudo systemctl restart ssh

On Linux Mint 21.x (traditional daemon):

sudo systemctl restart ssh

Verify the listener after the restart. Replace :2222 with :22 if you kept the default port:

ss -H -tln 'sport = :2222'

If the command prints no listener, recheck the Port value on Mint 21.x or the ListenStream override on Mint 22.x, then restart the correct unit for your Mint release. Run sudo /usr/sbin/sshd -t again when the failed change involved sshd_config.

Configure UFW Firewall Rules for SSH

UFW is optional on Linux Mint, but the order matters if you enable it after turning on SSH. Allow the SSH rule first, verify it, and only then enable or tighten the firewall.

Allow SSH Before Enabling UFW

If UFW is not already installed, add it with APT:

sudo apt install ufw

Add the SSH allow rule before enabling UFW, especially over a remote session. Keep your current SSH connection open, then test a second connection after UFW is active.

The OpenSSH server package provides an OpenSSH UFW profile for port 22/tcp. Allow that profile when SSH still uses the default port:

sudo ufw allow OpenSSH

If you configured a custom SSH port, allow that TCP port instead:

sudo ufw allow 2222/tcp

Enable UFW only after the SSH allow rule exists:

sudo ufw enable

UFW may ask for confirmation because enabling a firewall can disrupt existing connections. Confirm only after the SSH rule is in place.

Verify and Restrict UFW SSH Rules

Check the current firewall status and rule numbers before you make further changes:

sudo ufw status numbered

For a default-port rule, the output should show an allow rule for OpenSSH or 22/tcp. If you want SSH reachable only from a known client address, add a source-restricted TCP rule:

sudo ufw allow from 192.168.1.100 to any port 22 proto tcp

Replace 192.168.1.100 with the client IP address you want to grant access. A source-restricted rule does not replace a broader allow rule automatically, so test the restricted connection before deleting the broader rule.

To delete a broader rule by number, use the number from sudo ufw status numbered. Rule numbers can change after each deletion, so recheck the numbered list before deleting another rule:

sudo ufw delete 1

UFW prompts for confirmation before removing the rule. Always verify your SSH access rule remains in place before disconnecting from an active session.

Use SSH Client Commands from Linux Mint

Once the server is live, these client-side examples work from any machine that already has the OpenSSH client installed, including another Linux Mint system. For a broader option reference after setup, see the ssh command in Linux guide.

Establish a Basic SSH Connection from Linux Mint

Connect to a remote server using the standard SSH command syntax:

ssh username@server_ip

Replace username with your account on the remote machine and server_ip with the server’s IP address or hostname. For servers using a non-standard SSH port:

ssh -p 2222 username@server_ip

The -p flag specifies the port number configured on the remote server.

Connect with a Specific SSH Key File

If you have multiple SSH keys or need to specify a particular key file:

ssh -i ~/.ssh/id_ed25519 username@server_ip

The -i flag specifies the private key file to use for authentication.

Transfer Files with SCP over SSH

Secure Copy Protocol (SCP) transfers files over SSH. To copy a local file to a remote server:

scp /path/to/local/file username@server_ip:/remote/directory/

To copy a file from the remote server to your local machine:

scp username@server_ip:/path/to/remote/file /local/directory/

For recursive directory transfers, add the -r flag:

scp -r /local/directory username@server_ip:/remote/path/

For servers using a custom SSH port, use the uppercase -P flag (note the difference from SSH’s lowercase -p):

scp -P 2222 file.txt username@server_ip:/remote/path/

Execute Remote Commands with SSH

Run a single command on a remote server without opening an interactive shell:

ssh username@server_ip 'df -h'

The remote shell runs df -h, prints the output locally, and then closes the connection.

Create SSH Port Forwarding Tunnels

SSH tunneling maps a local port to a service reachable from the remote SSH server, which is useful for private web tools or admin panels that should not listen publicly:

ssh -L 8080:localhost:80 username@server_ip

After connecting, local port 8080 forwards to port 80 from the remote server’s point of view, so the service is available at http://localhost:8080 in your browser.

Verify SSH Host Key Fingerprints

SSH fingerprints protect against man-in-the-middle attacks by verifying the server’s identity. Before accepting a first-connection prompt, compare the displayed fingerprint with the server’s actual host key through a trusted channel such as local console access or administrator-provided documentation.

Print the server’s ED25519 host key fingerprint on the Mint system:

ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub

Compare the SHA256: value with the fingerprint shown by the client. Once accepted, the fingerprint is stored in ~/.ssh/known_hosts. If the server’s fingerprint changes later, SSH refuses the connection until you investigate whether the change is legitimate.

Display the stored fingerprint for a known host from the client machine:

ssh-keygen -F server_ip -l

Troubleshoot SSH Connection Issues on Linux Mint

When SSH connections fail, start with the layer that can be checked safely: listener state, firewall rules, authentication files, then logs. Apply fixes only after the diagnostic points to that layer.

Fix SSH Connection Refused Errors

If you receive “Connection refused” when connecting:

ssh: connect to host 192.168.1.50 port 22: Connection refused

This means the target host rejected the TCP connection. First, verify that SSH is listening on the expected port; replace :22 with your custom port if you changed it:

ss -H -tln 'sport = :22'

If no output appears, start the SSH service:

On Linux Mint 22.x:

sudo systemctl start ssh.socket

On Linux Mint 21.x:

sudo systemctl start ssh

Retest from the client after starting the listener:

ssh username@server_ip

If SSH is listening but connections still fail, check UFW:

sudo ufw status

If the SSH rule is missing, add the one that matches your SSH port. Use the OpenSSH profile for the default port, or the custom TCP port if you changed it:

sudo ufw allow OpenSSH

sudo ufw allow 2222/tcp

Fix SSH Permission Denied (Publickey) Errors

This error appears when the server does not accept the key the client offered:

Permission denied (publickey).

Verify key permissions on the client machine. Private keys must be readable only by your account:

ls -ld ~/.ssh ~/.ssh/id_ed25519 ~/.ssh/id_ed25519.pub

Relevant permissions include:

drwx------  2 user user 4096 Jan  2 10:00 /home/user/.ssh
-rw-------  1 user user  419 Jan  2 10:00 /home/user/.ssh/id_ed25519
-rw-r--r--  1 user user  105 Jan  2 10:00 /home/user/.ssh/id_ed25519.pub

Fix incorrect permissions using chmod:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub

On the Mint system, check that your public key file exists and has restrictive permissions:

ls -ld ~/.ssh ~/.ssh/authorized_keys

If the file is present but SSH still rejects the key, fix the server-side permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Review SSH Authentication Logs

Check the server’s authentication log when the listener and file permissions look correct. The tail command keeps the log review focused on recent entries:

sudo tail -n 50 /var/log/auth.log | grep -i sshd

Look for messages such as failed passwords, rejected public keys, invalid users, or disallowed accounts. If you see repeated attempts from unfamiliar networks, pair SSH hardening with a log-based blocker such as Fail2Ban.

Fix SSH Host Key Verification Errors

If the server’s host key changed (or you reinstalled the server), SSH refuses to connect:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

If you know the key change is legitimate (server reinstall, new SSH keys), remove the old entry:

ssh-keygen -R server_ip

Then reconnect and verify the new fingerprint through a trusted channel before accepting.

Remove SSH Server from Linux Mint

If you no longer need inbound SSH access, remove the server package and keep the OpenSSH client installed for outbound connections unless you want to remove that separately.

Remove the OpenSSH Server Package

Remove the server package when you no longer want the Mint system to accept inbound SSH logins:

sudo apt remove openssh-server

After removal, review the optional autoremove transaction before accepting it. On a typical Mint SSH server install, APT may propose helper packages such as openssh-sftp-server, ssh-import-id, and ncurses-term when nothing else still needs them.

sudo apt autoremove

If you also want APT to delete package-managed SSH server configuration files, use the purge variant instead:

sudo apt purge openssh-server

Remove Leftover OpenSSH Server Files

Do not delete /etc/ssh wholesale. That directory also stores the client configuration from openssh-client. Instead, check whether any server-only host keys are still present after the package removal:

sudo find /etc/ssh -maxdepth 1 -type f -name 'ssh_host_*' 2>/dev/null

If that check still prints host keys you no longer want, remove only those server host key files.

Deleting SSH host keys changes the server identity shown to clients. Back up keys first if existing clients still trust this machine or if you may reinstall the server later.

Remove the host keys only after the backup and review are complete:

sudo rm -f -- /etc/ssh/ssh_host_*

Review anything under /etc/ssh/sshd_config.d/ manually before deleting it, and leave /etc/ssh/ssh_config in place unless you intentionally want to remove the client package too.

Remove UFW Rules for SSH

If you added the default OpenSSH UFW profile rule, remove that exact rule:

sudo ufw delete allow OpenSSH

If you used a custom port:

sudo ufw delete allow 2222/tcp

Verify the OpenSSH Server Removal

Use dpkg-query to confirm that the server package is no longer installed. A status starting with ii means it is still installed, rc means only residual configuration remains, and no dpkg record appears after a full purge.

dpkg-query -W -f='${db:Status-Abbrev} ${binary:Package}\n' openssh-server 2>/dev/null || echo "no dpkg record"

If the output starts with ii, rerun the remove command. If it starts with rc and you want package-managed configuration removed, run the purge command.

Conclusion

SSH is installed on Linux Mint with the server package, listener checks, firewall rules, and safer login policy in place. Mint 22 centers service management on ssh.socket, while Mint 21 still relies on ssh.service. For tighter admin access, create and add users to sudoers on Linux Mint, or revisit client options in the ssh command in Linux reference.