Installing OpenSSH

Installing OpenSSH

SSH is the primary remote access protocol for Ubuntu servers. OpenSSH is the implementation Ubuntu uses — it provides both the client (ssh) and server (sshd) components. Understanding how SSH authentication works, what the host key verification prompt means, and where configuration files live is the foundation for everything else in SSH administration.

SSH client vs SSH server

SSH components:
  Client side (your laptop/workstation):
    Package: openssh-client (usually installed by default)
    Binary: /usr/bin/ssh
    Config: ~/.ssh/config, ~/.ssh/known_hosts

  Server side (the machine you connect TO):
    Package: openssh-server
    Binary/daemon: /usr/sbin/sshd
    Config: /etc/ssh/sshd_config
    Host keys: /etc/ssh/ssh_host_*_key

Installing openssh-server

# Install SSH server (often already installed on Ubuntu Server)
sudo apt update && sudo apt install -y openssh-server

# Enable and start the SSH service
sudo systemctl enable --now ssh

# Verify it's running and on which port
sudo systemctl status ssh
sudo ss -tlnp | grep sshd

ss output showing SSH listening

LISTEN  0  128  0.0.0.0:22  0.0.0.0:*  users:(("sshd",pid=1234,fd=3))
LISTEN  0  128  [::]:22     [::]:*      users:(("sshd",pid=1234,fd=4))

# Allow SSH through UFW firewall
sudo ufw allow ssh         # Allow port 22
sudo ufw allow 22/tcp      # Alternative
sudo ufw enable

The first connection: host key verification

ssh user@192.168.1.10

First connection prompt

The authenticity of host '192.168.1.10 (192.168.1.10)' can't be established.
ED25519 key fingerprint is SHA256:abc123xyz456...
Are you sure you want to continue connecting (yes/no/[fingerprint])?

📝 NOTE: This prompt appears on the FIRST connection to a new host. Type yes to accept and save the host key to ~/.ssh/known_hosts. On subsequent connections, SSH verifies the server presents the same key — if it does not (different key = different or compromised server), SSH refuses to connect. To verify the fingerprint is legitimate, check it on the server console: ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub

The ~/.ssh/ directory structure

ls -la ~/.ssh/

~/.ssh/ directory contents

drwx------ 2 irfan irfan 4096 Jun  9 14:00 .        ← must be 700
-rw------- 1 irfan irfan  411 Jun  9 13:00 id_ed25519       ← private key (600)
-rw-r--r-- 1 irfan irfan  100 Jun  9 13:00 id_ed25519.pub   ← public key (644)
-rw------- 1 irfan irfan 2048 Jun  9 14:00 authorized_keys  ← allowed keys (600)
-rw-r--r-- 1 irfan irfan 1024 Jun  9 14:00 config           ← client config (600)
-rw-r--r-- 1 irfan irfan 4096 Jun  9 12:00 known_hosts      ← verified servers

⚠️ WARNING: Permissions on ~/.ssh/ and its files MUST be strict. SSH will refuse to use keys if permissions are too permissive. The directory must be 700, private keys 600, authorized_keys 600. Fix with: chmod 700 ~/.ssh; chmod 600 ~/.ssh/*; chmod 644 ~/.ssh/*.pub

Basic sshd_config settings

# View the SSH server config
sudo cat /etc/ssh/sshd_config | grep -v "^#" | grep -v "^$"

Key sshd_config defaults

Port 22                    # Listening port
PermitRootLogin prohibit-password  # Root login only with key (not password)
PubkeyAuthentication yes   # Key-based auth enabled
PasswordAuthentication yes # Password auth enabled (should disable in prod)
AuthorizedKeysFile .ssh/authorized_keys  # Location of authorized keys

# After any sshd_config change:
sudo sshd -t    # Test config syntax
sudo systemctl reload ssh    # Apply without disconnecting existing sessions

Conclusion

Install with sudo apt install openssh-server, then systemctl enable --now ssh. The host key fingerprint prompt on first connection is a security feature — verify the fingerprint against the server console before accepting. Always fix SSH directory permissions if authentication fails unexpectedly: chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys. After modifying sshd_config, always test with sudo sshd -t before reloading to avoid locking yourself out.