Debian

Enable SSH Server on Debian 12

In this guide, we will showcase how to install and enable the SSH server on Debian 12.

Prerequisites:

To perform the steps that are demonstrated in this guide, you need the following components:

  • A properly-configured Debian system. Check out how to install Debian on a VirtualBox VM.
  • If you’re running an older version of Debian, check out how to upgrade to Debian 12.
  • Access to root or a non-root user with sudo

SSH Server on Debian 12

SSH (Secure Shell or Secure Socket Shell) is a cryptographic network protocol that is mostly used for accessing the remote computers over a network. The protocol features a client-server architecture where an SSH client instance connects with an SSH server.

OpenSSH is currently the most popular implementation of the SSH protocol. It’s a free and open-source software available for all the major platforms. On Debian, all the OpenSSH packages are available from the default package repo.

Installing OpenSSH on Debian

Installing the OpenSSH Client

By default, Debian should come with the OpenSSH client pre-installed:

$ ssh -v

If the OpenSSH client is installed, your system should have the scp and sftp tools installed as well:

$ type scp

$ type sftp

If the OpenSSH client isn’t installed, install it using the following commands:

$ sudo apt update

$ sudo apt install openssh-client

Installing the OpenSSH Server

The OpenSSH server allows the remote clients to connect to the machine. However, it doesn’t come preinstalled on Debian.

To install the OpenSSH server, run the following commands:

$ sudo apt update

$ sudo apt install openssh-server

Firewall Configuration

By default, the OpenSSH server is configured to listen on port 22. However, most firewalls will deny any connection request by default. To allow the remote SSH clients to connect to the SSH server, we need to open port 22 on the firewall.

In this section, we will demonstrate how to allow the SSH access on UFW. If you’re using any other firewall, please consult the respective documentation.

To allow access to port 22, run the following command:

$ sudo ufw allow 22/tcp

Check out the list of UFW rules for verification:

$ sudo ufw status

Enabling the OpenSSH Server

Upon successful installation, the OpenSSH server should be manageable through the ssh service:

$ sudo systemctl list-unit-files | grep enabled | grep ssh

To ensure that the OpenSSH server starts at boot, run the following command:

$ sudo systemctl enable ssh

Managing the SSH Server

To check the status of the OpenSSH server, run the following command:

$ sudo systemctl status ssh

To start the server, run the following command:

$ sudo systemctl start ssh

To stop the server, run the following command:

$ sudo systemctl stop ssh

To restart the server, run the following command:

$ sudo systemctl restart ssh

OpenSSH Configuration

There are a couple of SSH configuration files:

  • /etc/ssh/ssh_config: Configuration file for the SSH client
  • /etc/ssh/sshd_config: Configuration file for the SSH server

By default, most options are commented out. To activate an option, uncomment by removing “#” at the beginning of the line.

Note that after tweaking the SSH server configuration, you have to restart the server to apply the changes.

Client Configuration

Here’s a short list of some important SSH client configurations:

  • Compression: It specifies whether SSH uses compression over the connection. By default, compression is enabled (yes). However, it can be turned off (no).
  • LogLevel: It determines the level of details where the SSH client logs the user activity. Logging can be disabled (QUIET) or enabled (FATAL, ERROR, INFO, VERBOSE, DEBUG1, DEBUG2, and DEBUG3).
  • ServerAliveInterval: After the specified time (in seconds), if the server sends no data, the client sends a message requesting a response.
  • ServerAliveCountMax: The number of server alive messages to be sent to the SSH server before disconnecting from the server.

Check out the man page for all the available options:

$ man ssh_config

Server Configuration

Here’s a short list of some important SSH server configurations:

  • AllowUsers: Only the users who are listed here are allowed for SSH authentication. It can be a list of users or a pattern. By default, all users are allowed to authenticate over SSH.
  • DenyUsers: Users who are listed are not allowed for SSH authentication. It can be a list of users or a pattern.
  • LogLevel: It specifies the sshd logging verbosity level. Logging can be disabled (QUIET) or enabled (FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3).
  • Port: It defines the port that the SSH server listens to. The value is a port number (22 by default). Some admins may consider to switch to a different port as a means of preventing the incoming SSH attacks. However, it may just contribute to unnecessary inconvenience as port scanning (nmap for example) can reveal the open ports.
  • PermitRootLogin: By default, the SSH server doesn’t permit logging in as root (no). Other valid arguments: yes, without-password, and forced-commands-only.
  • PasswordAuthentication: This directive specifies whether the SSH server allows the password-based authentication (yes) or not (no).

Check out the man page for all the available options:

$ man sshd_config

Conclusion

We demonstrated how to install and configure the OpenSSH server. We also showcased how to tweak the SSH server/client configuration files.

Besides the remote access, SSH can also be used for transferring the file. Check out how to copy the files with SSH and how to mount the remote locations using SSHFS. Even the DevOps providers like GitLab uses SSH as a means to authenticate the users.

Happy computing!

About the author

Sidratul Muntaha

Student of CSE. I love Linux and playing with tech and gadgets. I use both Ubuntu and Linux Mint.