ssh or secure shell is a network protocol that allows you to perform various network services remotely and securely over an unsecured network. There are several different operations that can be performed using the ssh protocol. The most common are probably logging in or connecting to a remote machine and transferring files over the network to a remote machine.
In order to use the secure shell, the ssh service should be enabled on the remote machine and you need to have a ssh client. Let’s see how you can enable ssh network service in a Linux machine. ssh is usually used to refer to the protocol as well as the client program, while sshd is used to refer to the server side of the connection or the network service.
Running or enabling ssh access means starting or running the ssh daemon process on the Linux machine. This is no different than running any service on the Linux machine. You can list the currently running services on the server to check if the service is already running.
enable ssh network service
On most of the modern machines, you will be using systemctl to start and stop services. You will do the same with the sshd service as well. So, to start or enable the sshd service you will use the following command as the super user or root.
bash$ systemctl start sshd.service
disable ssh network service
You will use the same command to stop or disable the sshd service. You can also use the same systemctl command to restart the service as well.
bash$ systemctl stop sshd.service
bash$ systemctl restart sshd.service
enable ssh root login
As you know the root or super user has escalated privileges on the machine. Although it is always a security risk, sometimes you would to enable root login for the ssh service. This means that the super user can login and perform network operations just as any other user using the secure shell.
The options for the ssh daemon process is configured using a file named /etc/ssh/sshd_config. The option that handles the root access is named PermitRootLogin. By default, the root access is enabled on most systems.
You can turn it on explicitly using one of the permitted values for the option. Remember to restart the service after you have modified the config file.
- yes : this will turn on all authentication types for the root. The root will be able to use password authentication from the prompt, use public key authentication or any other auth method configured on your machine.
- without-password : the root will need to authenticate without the use of a password. In other words, any authentication scheme that needs a password will be disabled. You will most probably use a public key authentication in this case. This is considered much safer than using the ‘yes‘ option.
- forced-commands-only : this is similar to the without-password option above. It will use the public key authentication scheme but only if the command option is specified with the authentication. This is a much stricter option that the previous one.
disable ssh root login
As mentioned before, enabling root access can be a security risk. This means most network admins would prefer to disable access for the super user to login or perform network operations directly. In the rare case where you do want the root access, use one of the two options mentioned above that is not ‘yes‘.
In addition to the values mentioned in the previous section, you can also set the PermitRootLogin to ‘no‘. This will completely disable access to the super user or root.
enable ssh for specific users
Sometimes you would want to allow access to only certain users and not all users on the system. The requirement will vary from use case to use case. You have the option of either allowing specific users or denying specific users. If you have a lot of users that you want to allow or deny then it might be better to use user groups.
enable by login
If you want to enable authentication of only certain users by their login name then you can use the AllowUsers option in the config file. The following example will allow access to only users with login tom, harry or susan.
AllowUsers tom harry susan
If you want to deny based on the login then you can use the DenyUsers option in the config file.
DenyUsers harry susan joe
enable by user groups
Allowing access by user name can be quite cumbersome if you have a lot of users. Keeping and maintaining the long list of names can be tedious and prone to errors. Instead of the login names you can use user groups to manage permissions to the sshd service.
Equivalent to the options for users, you can use AllowGroups and DenyGroups config options.
I recommend that you create a dedicated user group such as ssh or remote and then allow only members of that group to access the sshd service. You can then add users and remove users from that group to maintain access levels. Any changes to the user or group level permissions will automatically get reflected in this service as well.