In one of our previous articles, we introduced you to SSH authentication and its basic usage. However, you can’t use SSH as an authentication method unless the machine you want to log into isn’t preconfigured with an SSH server. This article covers the steps to set up a machine with SSH authentication.
Why do you need to enable an SSH server manually?
When you install Linux on a computer or a virtual machine, the installation wizard will ask you if you want to enable the system for SSH authentication. If, for some reason, this step was skipped, then you’ll have to configure your computer manually.
To create SSH access on a server, you’ll need to configure both the server (to allow access) and the client (to authenticate and connect). Here’s a step-by-step breakdown for installing an SSH server on the most common Linux systems.
Step 1: Install and enable the SSH Server
The following steps must be executed on the machine you want to access with SSH (the server).
# Debian/Ubuntu
sudo <a href="https://negativepid.blog/cyberwarfare-the-silent-wars-of-cyberspace/">apt</a> <a href="https://negativepid.blog/the-solarwinds-supply-chain-attack/">update</a>
sudo apt install openssh-server
sudo systemctl enable ssh
sudo systemctl start ssh
# RHEL/CentOS/Fedora
sudo dnf install openssh-server
sudo systemctl enable sshd
sudo systemctl start sshd
# Verify that the server is running
sudo systemctl status ssh # or sshd
Step 2: Create a user account (if needed)
You can use an existing user or create a new one for SSH access:
sudo adduser testuser
sudo passwd testuser
Step 3: Set up PKA (Recommended)
- PKA stands for Public Key Authentication. It’s a highly secure and widely used method for proving your identity when connecting to a remote server. The user generates a pair of cryptographic keys: a public key and a private key. The two keys are mathematically linked, but one cannot be derived from the other one. The public key is designed to be shared, while the private key is designed to be kept secret on your local machine.
Execute the following steps on the client machine:
# Generate an SSH key pair (if you don't have one)
ssh-keygen -t ed25519 -C "your_email@example.com"
# or use <a href="https://negativepid.blog/the-a858-puzzle/">RSA</a> if needed:
# ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
This creates:
~/.ssh/id_ed25519(private key)~/.ssh/id_ed25519.pub(public key)
# Transfer your public key to the server
ssh-copy-id testuser@your.server.ip
This appends your public key to ~/.ssh/authorized_keys on the server.
Alternatively:
scp ~/.ssh/id_ed25519.pub testuser@your.server.ip:/home/testuser/
ssh testuser@your.server.ip
mkdir -p ~/.ssh
cat ~/id_ed25519.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
rm ~/id_ed25519.pub
Step 4: Harden the SSH Server Configuration (Recommended)
Edit the SSH daemon config:
sudo nano /etc/ssh/sshd_config
# Recommended changes:
PermitRootLogin no
PasswordAuthentication no
AllowUsers testuser
Then, restart SSH to apply the changes:
sudo systemctl restart ssh # or sshd
Step 5: Open the SSH port (if using a firewall)
# Ubuntu/Debian with ufw
sudo ufw allow ssh
sudo ufw enable
# CentOS/RHEL with firewalld
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload
Step 6: Test the SSH access from the client
ssh testuser@your.server.ip
You should now be securely connected via SSH using your key pair.
Automating SSH server provisioning with bash
Below is a secure and automated Bash script for provisioning a new SSH server on a Linux-based VM or IoT device(Debian/Ubuntu family). It installs and configures the SSH server, sets up a new user with key-based authentication, and hardens the SSH config.
After the base OS is installed, you can run this script as root or with sudo.
#!/bin/bash
# Variables (you can pass these in or modify here)
USERNAME="testuser"
PUB_KEY_URL="<a href="https://negativepid.blog/the-edward-snowden-leaks/">https</a>://yourdomain.com/keys/testuser_id_ed25519.pub" # Or scp it
SSH_PORT="22"
# 1. Install OpenSSH Server
apt-get update && apt-get install -y openssh-server ufw
# 2. Create a new user and set up home directory
adduser --disabled-password --gecos "" "$USERNAME"
mkdir -p /home/$USERNAME/.ssh
chown -R $USERNAME:$USERNAME /home/$USERNAME/.ssh
chmod 700 /home/$USERNAME/.ssh
# 3. Fetch public key and set up authorized_keys
curl -fsSL "$PUB_KEY_URL" -o /home/$USERNAME/.ssh/authorized_keys
chmod 600 /home/$USERNAME/.ssh/authorized_keys
chown $USERNAME:$USERNAME /home/$USERNAME/.ssh/authorized_keys
# 4. Harden SSH server config
sed -i.bak -e "s/#Port 22/Port $SSH_PORT/" \
-e 's/#PermitRootLogin .*/PermitRootLogin no/' \
-e 's/#PasswordAuthentication yes/PasswordAuthentication no/' \
-e 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' \
-e 's/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' \
-e 's/#UsePAM yes/UsePAM no/' \
/etc/ssh/sshd_config
echo "AllowUsers $USERNAME" >> /etc/ssh/sshd_config
# 5. Restart SSH to apply changes
systemctl enable ssh
systemctl restart ssh
# 6. Configure firewall to allow SSH
ufw allow $SSH_PORT
ufw --force enable
# 7. Done
echo "✅ SSH server configured for user '$USERNAME' on port $SSH_PORT"
Notes:
You can replace
PUB_KEY_URLwith a local file or SCP method if needed.Make sure the public key is valid and in
OpenSSHformat (starts withssh-ed25519orssh-rsa).Adjust the firewall section for
firewalldif you’re on CentOS/RHEL.For provisioning in the cloud (e.g., EC2, Azure), make sure the corresponding security group or NSG also allows the SSH port.