SSH Commands

SSH commands for managing the OpenSSH server
This is intended for Linux with systemd, specifically Ubuntu Server.

Table of Contents

• Restarting the SSH Service
• Stopping the SSH Service
• View SSH Status and Current State
• Enable SSH to Start on Boot
• Disable SSH From Starting on Boot
• Managing Authentication Methods for SSH
  • Applying Changes to sshd_config

Restarting the SSH Service

SSH needs to be restarted after any changes to /etc/ssh/sshd_config.
Restart SSH with systemd with the command:

sudo systemctl restart sshd

SSH can also be restarted using System V. Init scripts:

sudo /etc/init.d/ssh restart

Stopping the SSH Service

SSH can be stopped with service:

sudo service ssh stop

View SSH Status and Current State

You can view the current status of SSH with systemd:

sudo systemctl status ssh

This will output the current status of SSH, including:

• Loaded
• Active
• Docs (man pages)
• Process
• Main PID (the process ID)
• Tasks
• Cgroup

Enable SSH to Start on Boot

If you want the SSH service to start up when the system boots, and it does not do this by default, this behavior can be enabled.
To enable this, start the SSH service using systemd:

sudo systemctl enable ssh

The output should look something like this:

Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ssh
Created symlink /etc/systemd/system/sshd.service → /lib/systemd/system/ssh.service.
Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /lib/systemd/system/ssh.se

Disable SSH From Starting on Boot

If you don't want the SSH service to start up when the system boots, this behavior can be disabled.

sudo systemctl disable ssh

The output should look something like this:

Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable ssh
Removed /etc/systemd/system/multi-user.target.wants/ssh.service.
Removed /etc/systemd/system/sshd.service.

Managing Authentication Methods for SSH

Also see hardening_ssh

To manage SSH authentication methods, we need edit the server's SSH configuration file, which is located at /etc/ssh/sshd_config.

• Open /etc/ssh/sshd_config as root (sudo):

  sudo vi /etc/ssh/sshd_config
  

  • sudo is required. This file requires root access to write to.

There are a number of settings here, most of them are in there by default (mostly commented out).

• PermitRootLogin: This decides whether or not to allow direct root logins via SSH.

  • It's generally unsafe to have this enabled.

  • Uncomment it and change to no:

    PermitRootLogin no
    

  • This will prevent the root user from logging in via SSH.

• PasswordAuthentication: Decides whether or not to allow SSH logins with passwords.

  • Disable this if you want key-based authentication only:
    

    PasswordAuthentication no
    

  • This will disable password authentication.

• AuthorizedKeysFile: Where SSH will look for key-based authentication.

  • It should look like this:

    AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
    

  • You can add more files to the list if you want to.

• AuthenticationMethods: The methods of authentication that are accepted.

  • For key-based authentication, you'll want this set to publickey:

    AuthenticationMethods publickey
    

Applying Changes to sshd_config

Reload any changes to SSH with systemctl:

sudo systemctl restart ssh

AllowGroups / DenyGroups

We can configure AllowGroups to work with local and remote groups (e.g., groups through Active Directory).

sudo vi /etc/ssh/sshd_config

Then add a line that matches the group name.

AllowGroups ssh_users

Adding this will only allow users in the ssh_users group (local or from AD) to SSH in. All other users will be rejected.

You can also specify multiple group names on the same line.

AllowGroups ssh_users admins ops_team

If you need to explicitly block users from certain groups, use the DenyGroups directive.

DenyGroups blocked_users

NOTE: Any user part of a group in DenyGroups will always be blocked, regardless of whether or not they're in a group specified in AllowGroup.

You can also use Match blocks with group names to set rules for these groups.

Match Group ssh_users
    PasswordAuthentication no
    PubkeyAuthentication yes

---

Side note: If filtering out users through AD, you can also filter out unwanted users through /etc/sssd/sssd.conf.

[domain/YOUR.DOMAIN]
access_provider = simple
simple_allow_groups = ssh_users

Or:

[domain/YOUR.DOMAIN]
access_provider = ldap
ldap_access_filter = (memberOf=cn=ssh_users,ou=Groups,dc=your,dc=domain)

Remapping Port on SELinux

If you happen to change the Port option in your sshd_config file, and the system has SELinux enabled, you will need to add the port to the SELinux context.

You will likely also need to add a firewall rule.

If you changed the port to 2222 on a server with SELinux:

perl -pi -e 's/^#?(Port )\d+/$1 2222/' /etc/ssh/sshd_config # or edit with vi
systemctl restart sshd

You'll need the semanage tool to add the port to SELinux. This is provided by the policycoreutils-python-utils package.

dnf install -y policycoreutils-python-utils  # Install the semanage util
semanage port -a -t ssh_port_t -p tcp 2222   # Add port 2222 as SSH port
systemctl restart sshd

To add the port to firewalld:

firewall-cmd --permanent --add-port 2222 # Make it persistent
firewall-cmd --reload