Secure Shell (SSH) is the standard protocol for secure remote server access, encrypting all data transmitted between client and server to prevent eavesdropping and interception. It supports multiple authentication methods (password, public key, host-based), enables secure port forwarding to tunnel other protocols, and maintains data integrity throughout transmission. SSH works seamlessly across different operating systems and devices, making it essential for system administrators who need to execute commands remotely, transfer files securely via SFTP or SCP, and manage servers efficiently.
This guide walks through installing and configuring OpenSSH across supported Ubuntu releases, from refreshing repositories to hardening authentication and configuring the firewall. It also explains how to handle the socket-based activation that Ubuntu 24.04 LTS introduced while keeping older daemon-based releases properly managed.
Update Ubuntu Before SSH Installation
Before installing SSH, it is crucial to update your Ubuntu system’s package list and upgrade the existing packages. This step ensures that your system is up-to-date and prevents potential conflicts during the installation.
Execute the following command in the terminal (press Ctrl + Alt + T or search for “Terminal” in the application menu if you need to open it):
sudo apt update && sudo apt upgradeThis command first updates the list of available packages and then upgrades the installed packages to their latest versions.
Install SSH via APT Command
After updating your system, proceed to install the OpenSSH server and client. OpenSSH is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client-server architecture.
Use APT (Advanced Package Tool, Ubuntu’s package manager similar to Windows Update) to manage these packages:
Most Ubuntu Server images include OpenSSH server by default, while Ubuntu Desktop only ships the client binary. Confirm that at least the client portion is available on your workstation:
ssh -VThe version output confirms the client is installed, but you still need the server component to accept incoming connections. Install (or reinstall) both packages with APT; the command is safe to run even when the packages already exist because APT simply verifies and refreshes them:
sudo apt install openssh-server openssh-clientThe openssh-server component allows your Ubuntu machine to accept SSH connections while the openssh-client enables it to initiate SSH connections to other machines.
Verify OpenSSH Installation
Post-installation, confirm that systemd is managing the OpenSSH service properly. Socket activation handles SSH connections on Ubuntu 24.04 and newer, while earlier releases run a persistent daemon.
On Ubuntu 24.04 and later:
sudo systemctl status ssh.socketFor Ubuntu 22.04 and 20.04:
sudo systemctl status sshThe status output confirms that systemd is listening for incoming SSH connections and shows whether the service starts automatically at boot.
Configure SSH on Ubuntu After Installation
Understanding Ubuntu 24.04+ Socket Activation Changes
Starting with Ubuntu 24.04 LTS, OpenSSH uses systemd socket-based activation. A systemd generator (an early-boot script that dynamically creates unit drop-ins) mirrors port and ListenAddress directives from /etc/ssh/sshd_config and /etc/ssh/sshd_config.d/ into ssh.socket so systemd listens on the same interfaces that sshd expects. Older Ubuntu releases simply start ssh.service at boot and do not rely on socket activation.
The practical impact is that when you change Port or ListenAddress directives on Ubuntu 24.04+, you must run systemctl daemon-reload to regenerate the socket drop-ins, then restart both the socket and the service. Other configuration updates can be applied with a reload after the service has started. Ubuntu 22.04 and 20.04 only require restarting the SSH service because no socket unit is involved. OpenSSH still reads /etc/ssh/sshd_config directly on every Ubuntu release, but Ubuntu 24.04 adds socket coordination and removes the package’s libsystemd dependency as an additional hardening step inspired by the XZ-utils supply-chain incident. Expect ssh.service to appear inactive until the first connection because ssh.socket activates it on demand.
Adjust SSH Configuration Settings
The primary SSH configuration file lives at /etc/ssh/sshd_config across all Ubuntu versions. While the default settings provide solid security, you can customize port numbers, authentication methods, login restrictions, and connection limits to match your specific requirements. Open the configuration file with your preferred text editor:
sudo nano /etc/ssh/sshd_configMake all desired configuration changes in the sections below (port, authentication attempts, root login, etc.) before saving and closing the file. After completing all modifications, follow the version-specific restart instructions to apply your settings.
Change OpenSSH Port
Changing the default SSH port from 22 to a custom port reduces automated attack attempts targeting the standard port. Combined with login attempt restrictions and disabled root login, this hardens your server against brute-force attacks.
To change the SSH port, locate the Port line in the sshd_config file and set your preferred port number:
Port 2222If UFW or another firewall already enforces rules, allow the new SSH port before restarting SSH to avoid locking yourself out of remote sessions. Remove the old port 22 rule only after you confirm the new port works.
sudo ufw allow 2222/tcpsudo ufw delete allow sshAfter updating the port number, apply the changes using the appropriate commands for your Ubuntu version:
On Ubuntu 24.04 and later:
sudo systemctl daemon-reload
sudo systemctl restart ssh.socket
sudo systemctl restart ssh.serviceVerify the socket is listening on the new port:
sudo systemctl status ssh.socket
sudo ss -tlnp | grep sshFor Ubuntu 22.04 and 20.04:
sudo systemctl restart sshVerify the service is listening on the new port:
sudo ss -tlnp | grep sshLimit Login Attempts with SSH
Restricting the maximum authentication attempts per connection mitigates brute-force attacks by disconnecting clients that fail multiple login attempts. Locate the MaxAuthTries directive in your open sshd_config file and set a reasonable limit:
MaxAuthTries 3Reload the service to apply this authentication limit without disconnecting active sessions:
sudo systemctl reload sshOn Ubuntu 24.04 and later, make one SSH connection so socket activation starts ssh.service before you run the reload.
Disable SSH Root Login
Preventing direct root login via SSH forces attackers to compromise a regular user account before attempting privilege escalation, adding a critical security layer. Ensure you have a non-root user account with sudo privileges before disabling root login to avoid locking yourself out of the server.
Locate the PermitRootLogin directive in your open sshd_config file and set it to no:
PermitRootLogin noAfter completing all configuration changes, save and close the file. Then reload the service to apply the settings without interrupting active sessions:
sudo systemctl reload sshRequire SSH Key Authentication on Ubuntu
Key-based authentication removes password prompts and relies on public keys stored in ~/.ssh/authorized_keys. Keep an existing session open and confirm at least one sudo-capable user can sign in with a key before disabling passwords.
PasswordAuthentication no
KbdInteractiveAuthentication noTo restrict SSH access even further, allow only specific users or groups:
AllowUsers alice deploy
AllowGroups sshusersReload the service to apply these non-port changes without disconnecting active sessions:
sudo systemctl reload sshSecure SSH with UFW Firewall Rules
The Uncomplicated Firewall (UFW) provides straightforward firewall management on Ubuntu. Configuring UFW rules for SSH ensures only authorized traffic reaches your SSH service, whether you use the default port or a custom one.
If UFW is not installed, add it with this command:
sudo apt install ufwAllow incoming SSH connections on the default port:
sudo ufw allow sshFor a custom port (adjust the port number to match your sshd_config setting):
sudo ufw allow 2222/tcpTo restrict SSH access to a specific IP address, specify the source IP in the rule (replace 203.0.113.10 with the client you want to allow):
sudo ufw allow from 203.0.113.10 to any port 22Enable UFW if not already active:
sudo ufw enableVerify your firewall rules:
sudo ufw statusConnecting to a Remote Server via SSH
Establish Basic SSH Connection
Connect to a remote server using SSH with the following command syntax:
ssh username@remote_serverReplace username with your account username and remote_server with the server’s hostname or IP address. The system will prompt you for your password to authenticate the connection.
Connect with Public Key Authentication
Public key authentication provides stronger security than password-based authentication by using cryptographic key pairs. This method eliminates password transmission over the network and enables automated connections without interactive prompts.
Create a new key pair with ssh-keygen if the ~/.ssh directory does not already contain one. Accept the default file path (~/.ssh/id_ed25519) or specify a custom location, then set a strong passphrase when prompted:
ssh-keygen -t ed25519Copy the public key to the remote server so it is appended to ~/.ssh/authorized_keys. Replace username@remote_server with your actual SSH login:
ssh-copy-id username@remote_serverIf ssh-copy-id is unavailable, manually upload the contents of ~/.ssh/id_ed25519.pub to the server using SFTP or any existing SSH session.
To connect using public key authentication, specify your private key file:
ssh -i /path/to/private_key username@remote_serverReplace /path/to/private_key with the actual path to your private key file (typically ~/.ssh/id_rsa or ~/.ssh/id_ed25519), username with your remote username, and remote_server with the server’s IP address or hostname.
Specify Custom SSH Port
When the remote server uses a non-standard SSH port, specify it with the -p flag:
ssh -p PORT_NUMBER username@remote_serverReplace PORT_NUMBER with the actual port configured on the remote server. For example, if the server listens on port 2222:
ssh -p 2222 username@remote_serverTransfer Files with SCP
Secure Copy Protocol (SCP) transfers files securely over SSH. To copy a local file to a remote server:
scp /path/to/local/file username@remote_server:/path/to/remote/directoryTo copy a directory recursively, add the -r flag:
scp -r /path/to/local/directory username@remote_server:/path/to/remote/directoryFor servers listening on a custom SSH port, specify it with the uppercase -P flag:
scp -P 2222 /path/to/local/file username@remote_server:/path/to/remote/directoryExecute Remote Commands
Run commands on a remote server without maintaining an interactive session:
ssh username@remote_server 'command_to_run'For example, to check disk usage on the remote server:
ssh username@remote_server 'df -h'Troubleshoot SSH on Ubuntu
When SSH connection or authentication issues occur, systematic troubleshooting helps identify the root cause. Start by checking the SSH service status, reviewing authentication logs, and verifying firewall rules.
Check the SSH service status on your Ubuntu version:
On Ubuntu 24.04 and later:
sudo systemctl status ssh.socket
sudo systemctl status ssh.serviceVerify the socket is listening on the correct port:
sudo ss -tlnp | grep sshFor Ubuntu 22.04 and 20.04:
sudo systemctl status sshReview authentication logs for error messages or failed login attempts:
sudo tail -f /var/log/auth.logCommon issues include incorrect firewall configuration blocking the SSH port, permission problems with SSH key files (should be 600 for private keys, 644 for public keys), and service user access restrictions. If you recently changed the SSH port, ensure your firewall rules allow traffic on the new port and that clients specify the correct port when connecting.
Conclusion
OpenSSH delivers secure remote server access through robust encryption, flexible authentication methods, and comprehensive configuration options. The installation process covers repository updates, package installation, and critical security hardening steps including custom ports, authentication attempt limits, disabled root login, and firewall rules. Ubuntu 24.04’s socket-based activation architecture requires daemon reloads and socket restarts when modifying ports or listen addresses, while other configuration changes can be reloaded after the service starts. Ubuntu 22.04 and 20.04 use traditional service restarts. Your Ubuntu server now runs a hardened SSH service ready for secure remote administration, file transfers, and command execution across your infrastructure.
Relevant Links
Explore the following external resources for additional information related to the OpenSSH package on Ubuntu.
- OpenSSH Official Website: Access comprehensive details about OpenSSH, its features, and the latest updates.
- OpenSSH Portable GitHub Repository: Visit the portable OpenSSH repository for source code, development updates, and contribution opportunities.
- Official OpenSSH Manual: Dive into the manual for in-depth documentation and usage guidelines of OpenSSH.
- Ubuntu OpenSSH Guide: Learn about managing and configuring OpenSSH specifically on Ubuntu systems.