Installing SSH on Ubuntu enables secure remote server administration through encrypted connections. Secure Shell (SSH) encrypts all data transmitted between client and server, preventing eavesdropping during remote sessions. Whether you need to execute commands on a remote machine, transfer files securely via SCP or SFTP, or tunnel other protocols through encrypted connections, OpenSSH provides the foundation for secure Linux server management.
This guide covers installing and configuring OpenSSH on Ubuntu, including package installation, security hardening (custom ports, key-based authentication, disabled root login), and firewall configuration. By the end, you will have a production-ready SSH server accepting secure remote connections.
Update Ubuntu Before SSH Installation
Before installing SSH, update your Ubuntu system’s package list and upgrade existing packages. This step ensures your system is current and prevents potential conflicts during installation.
Execute the following command in the terminal:
sudo apt update && sudo apt upgradeThis command first updates the list of available packages and then upgrades the installed packages to their latest versions.
Install OpenSSH with APT
After updating your system, proceed to install the OpenSSH server and client. OpenSSH is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client-server architecture.
Use APT (Advanced Package Tool, Ubuntu’s package manager similar to Windows Update) to manage these packages:
Most Ubuntu Server images include OpenSSH server by default, while Ubuntu Desktop only ships the client binary. Confirm that at least the client portion is available on your workstation:
ssh -VExample output on Ubuntu 24.04 LTS:
OpenSSH_9.6p1 Ubuntu-3ubuntu13.14, OpenSSL 3.0.13 30 Jan 2024
The version output confirms the client is installed, but you still need the server component to accept incoming connections. Install (or reinstall) both packages with APT; the command is safe to run even when the packages already exist because APT simply verifies and refreshes them:
sudo apt install openssh-server openssh-clientThe openssh-server component allows your Ubuntu machine to accept SSH connections while the openssh-client enables it to initiate SSH connections to other machines.
Verify OpenSSH Installation
Post-installation, confirm that systemd (the service manager that starts and monitors programs at boot) is managing the OpenSSH service properly. Ubuntu 24.04 LTS and later use socket activation, while Ubuntu 22.04 LTS runs a persistent daemon.
On Ubuntu 24.04 LTS and later:
sudo systemctl status ssh.socketExpected output showing the socket is active and listening:
● ssh.socket - OpenBSD Secure Shell server socket
Loaded: loaded (/lib/systemd/system/ssh.socket; enabled; preset: enabled)
Active: active (listening) since Mon 2025-01-15 10:30:00 UTC
Triggers: ● ssh.service
Listen: 0.0.0.0:22 (Stream)
[::]:22 (Stream)
On socket-activated systems,
ssh.serviceappears inactive until the first SSH connection triggers it. This is normal behavior—the socket listens for connections and starts the service on demand.
On Ubuntu 22.04:
sudo systemctl status sshExpected output showing the service is active:
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; preset: enabled)
Active: active (running) since Mon 2025-01-15 10:30:00 UTC
Main PID: 1234 (sshd)
Tasks: 1 (limit: 4096)
Memory: 2.5M
Configure SSH on Ubuntu
Understand Socket Activation on Ubuntu 24.04 and Later
Ubuntu 24.04 LTS and later use systemd socket-based activation for OpenSSH. A systemd generator reads Port and ListenAddress directives from /etc/ssh/sshd_config and configures ssh.socket to listen on the same interfaces. Ubuntu 22.04 LTS runs ssh.service directly at boot without socket activation.
The practical impact: when you change Port or ListenAddress directives on Ubuntu 24.04 LTS, run systemctl daemon-reload to regenerate the socket configuration, then restart the socket. For other configuration changes (authentication settings, login limits), restart or reload the service. Ubuntu 22.04 LTS only requires restarting or reloading the SSH service directly.
Edit SSH Server Configuration
The primary SSH configuration file lives at /etc/ssh/sshd_config across all Ubuntu versions. While the default settings provide solid security, you can customize port numbers, authentication methods, login restrictions, and connection limits to match your specific requirements. Open the configuration file with your preferred text editor:
sudo nano /etc/ssh/sshd_configMake all desired configuration changes in the sections below (port, authentication attempts, root login, etc.) before saving and closing the file. After completing all modifications, follow the version-specific restart instructions to apply your settings.
Change OpenSSH Port
Changing the default SSH port from 22 to a custom port reduces automated attack attempts targeting the standard port. Combined with login attempt restrictions and disabled root login, this hardens your server against brute-force attacks.
To change the SSH port, locate the Port line in the sshd_config file and set your preferred port number:
Port 2222If UFW or another firewall already enforces rules, allow the new SSH port before restarting SSH to avoid locking yourself out of remote sessions. Remove the old port 22 rule only after you confirm the new port works.
sudo ufw allow 2222/tcpsudo ufw delete allow sshAfter updating the port number, apply the changes using the appropriate commands for your Ubuntu version:
On Ubuntu 24.04 LTS and later:
sudo systemctl daemon-reload
sudo systemctl restart ssh.socketThe daemon-reload triggers the systemd generator that reads the new port from sshd_config and updates the socket configuration. Restarting ssh.socket applies the change. You do not need to restart ssh.service separately—it starts automatically when the first connection arrives.
Verify the socket is listening on the new port:
sudo ss -tlnp | grep 2222Expected output confirming SSH listens on port 2222:
LISTEN 0 4096 0.0.0.0:2222 0.0.0.0:* LISTEN 0 4096 [::]:2222 [::]:*
Until the first connection triggers ssh.service, the output may show systemd as the listener rather than sshd. This is expected behavior for socket activation.
On Ubuntu 22.04:
sudo systemctl restart sshVerify the service is listening on the new port:
sudo ss -tlnp | grep sshLimit Login Attempts with SSH
Restricting the maximum authentication attempts per connection mitigates brute-force attacks by disconnecting clients that fail multiple login attempts. Locate the MaxAuthTries directive in your open sshd_config file and set a reasonable limit:
MaxAuthTries 3Apply the configuration change:
sudo systemctl restart sshOn socket-activated systems (Ubuntu 24.04 LTS and later), use
systemctl restart sshrather thanreload. The reload command fails ifssh.serviceis not running, which is the normal state before the first connection.
Disable SSH Root Login
Preventing direct root login via SSH forces attackers to compromise a regular user account before attempting privilege escalation, adding a critical security layer. Ensure you have a non-root user account with sudo privileges before disabling root login to avoid locking yourself out of the server.
Locate the PermitRootLogin directive in your open sshd_config file and set it to no:
PermitRootLogin noAfter completing all configuration changes, save and close the file. Then restart the SSH service to apply the settings:
sudo systemctl restart sshRequire SSH Key Authentication on Ubuntu
Key-based authentication removes password prompts and relies on public keys stored in ~/.ssh/authorized_keys. Keep an existing session open and confirm at least one sudo-capable user can sign in with a key before disabling passwords.
PasswordAuthentication no
KbdInteractiveAuthentication noTo restrict SSH access even further, allow only specific users or groups:
AllowUsers alice deploy
AllowGroups sshusersRestart the SSH service to apply these authentication changes:
sudo systemctl restart sshSecure SSH with UFW Firewall Rules
The Uncomplicated Firewall (UFW) provides straightforward firewall management on Ubuntu. Configuring UFW rules ensures only authorized traffic reaches your SSH service. For additional brute-force protection, consider installing Fail2ban on Ubuntu to automatically ban IPs with repeated failed login attempts.
If UFW is not installed, add it with this command:
sudo apt install ufwAllow incoming SSH connections on the default port:
sudo ufw allow sshFor a custom port (adjust the port number to match your sshd_config setting):
sudo ufw allow 2222/tcpTo restrict SSH access to a specific IP address, specify the source IP in the rule (replace 203.0.113.10 with the client you want to allow):
sudo ufw allow from 203.0.113.10 to any port 22Enable UFW if not already active:
sudo ufw enableVerify your firewall rules:
sudo ufw statusExpected output (the port shown depends on your configuration):
Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6)
If you changed SSH to a custom port, your output shows that port instead (for example, 2222/tcp).
Connect to Remote Servers with SSH
Establish Basic SSH Connection
Connect to a remote server using SSH with the following command syntax:
ssh username@remote_serverReplace username with your account username and remote_server with the server’s hostname or IP address. The system will prompt you for your password to authenticate the connection.
Connect with Public Key Authentication
Public key authentication provides stronger security than password-based authentication by using cryptographic key pairs. This method eliminates password transmission over the network and enables automated connections without interactive prompts.
Create a new key pair with ssh-keygen if the ~/.ssh directory does not already contain one. Accept the default file path (~/.ssh/id_ed25519) or specify a custom location, then set a strong passphrase when prompted:
ssh-keygen -t ed25519Copy the public key to the remote server so it is appended to ~/.ssh/authorized_keys. Replace username@remote_server with your actual SSH login:
ssh-copy-id username@remote_serverIf ssh-copy-id is unavailable, manually upload the contents of ~/.ssh/id_ed25519.pub to the server using SFTP or any existing SSH session.
To connect using public key authentication, specify your private key file:
ssh -i /path/to/private_key username@remote_serverReplace /path/to/private_key with the actual path to your private key file (typically ~/.ssh/id_rsa or ~/.ssh/id_ed25519), username with your remote username, and remote_server with the server’s IP address or hostname.
Specify Custom SSH Port
When the remote server uses a non-standard SSH port, specify it with the -p flag:
ssh -p PORT_NUMBER username@remote_serverReplace PORT_NUMBER with the actual port configured on the remote server. For example, if the server listens on port 2222:
ssh -p 2222 username@remote_serverTransfer Files with SCP
Secure Copy Protocol (SCP) transfers files securely over SSH. To copy a local file to a remote server:
scp /path/to/local/file username@remote_server:/path/to/remote/directoryTo copy a directory recursively, add the -r flag:
scp -r /path/to/local/directory username@remote_server:/path/to/remote/directoryFor servers listening on a custom SSH port, specify it with the uppercase -P flag:
scp -P 2222 /path/to/local/file username@remote_server:/path/to/remote/directoryExecute Remote Commands
Run commands on a remote server without maintaining an interactive session:
ssh username@remote_server 'command_to_run'For example, to check disk usage on the remote server:
ssh username@remote_server 'df -h'Troubleshoot SSH on Ubuntu
When SSH connection or authentication issues occur, systematic troubleshooting helps identify the root cause. Start by checking the SSH service status, reviewing authentication logs, and verifying firewall rules.
Check SSH Service Status
On Ubuntu 24.04 LTS and later (socket-activated):
sudo systemctl status ssh.socketExpected output when the socket is active and listening:
● ssh.socket - OpenBSD Secure Shell server socket
Loaded: loaded (/lib/systemd/system/ssh.socket; enabled; preset: enabled)
Active: active (listening)
Check ssh.service as well:
sudo systemctl status ssh.serviceOn socket-activated systems,
ssh.serviceshows as inactive before any SSH connections have been made. This is normal—the socket handles the listening and triggers the service on demand. You only need to investigate if the socket itself is not active.
Verify the socket is listening on the correct port:
sudo ss -tlnp | grep :22On Ubuntu 22.04 LTS:
sudo systemctl status sshExpected output when the service is running:
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; preset: enabled)
Active: active (running)
Connection Refused Error
If you see “Connection refused” when connecting, the SSH service is not running or the firewall is blocking the port:
ssh: connect to host 192.168.1.100 port 22: Connection refused
Check whether SSH is listening:
sudo ss -tlnp | grep :22If no output appears, start the SSH service:
sudo systemctl start ssh.socket # Ubuntu 24.04 LTS and later
sudo systemctl start ssh # Ubuntu 22.04 LTSIf SSH is running but connections fail, check UFW:
sudo ufw status
sudo ufw allow sshPermission Denied (Publickey) Error
This error appears when key-based authentication fails:
Permission denied (publickey).
Verify your key permissions on the client machine. Private keys must be readable only by you:
ls -la ~/.ssh/Expected permissions:
drwx------ 2 user user 4096 Jan 15 10:00 . -rw------- 1 user user 419 Jan 15 10:00 id_ed25519 -rw-r--r-- 1 user user 105 Jan 15 10:00 id_ed25519.pub
Fix permissions if incorrect:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pubOn the server, check that your public key exists in ~/.ssh/authorized_keys and that the directory has correct permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keysReview Authentication Logs
Check the authentication log for detailed error messages:
sudo tail -50 /var/log/auth.log | grep sshCommon log entries and their meanings:
Failed password for user from 192.168.1.50 port 54321 ssh2
This indicates incorrect password attempts. If you see many failed attempts from unknown IPs, consider installing Fail2ban to automatically block attackers.
Remove OpenSSH from Ubuntu
If you no longer need the SSH server, remove the packages and clean up configuration files.
Uninstall OpenSSH Packages
Remove the OpenSSH server package while keeping the client for outbound connections:
sudo apt remove openssh-serverTo remove both server and client components along with configuration files:
sudo apt purge openssh-server openssh-clientRemove orphaned dependencies that were installed alongside OpenSSH:
sudo apt autoremoveRemove SSH Configuration and Keys
Danger: The following commands permanently delete SSH keys and configuration files. Back up any files you may need before proceeding. If you reinstall OpenSSH later, new host keys will be generated, and existing clients will show host key verification warnings.
To remove only the server host keys (preserves your custom sshd_config):
sudo rm /etc/ssh/ssh_host_*To remove all system-wide SSH configuration and host keys:
sudo rm -rf /etc/sshTo remove your personal SSH keys and known hosts, first back up any keys you want to preserve:
cp -r ~/.ssh ~/.ssh.backupThen remove the SSH directory (only if you want to completely reset your personal SSH data):
rm -rf ~/.sshDeleting
~/.sshremoves all your personal SSH keys, including keys used to access GitHub, GitLab, and other services. If you only want to remove theknown_hostsfile to clear old host fingerprints, runrm ~/.ssh/known_hostsinstead.
Remove UFW SSH Rules
If you added firewall rules for SSH, remove them:
sudo ufw delete allow ssh
sudo ufw delete allow 2222/tcp # If you used a custom portVerify Removal
Confirm OpenSSH is no longer installed:
dpkg -l | grep opensshIf the package was properly purged, this command returns no output (empty). If you see entries marked rc (removed but config files remain), the output looks like:
rc openssh-server 1:9.6p1-3ubuntu13 amd64 secure shell (SSH) server
Run sudo apt purge openssh-server again to remove the remaining configuration files.
Conclusion
OpenSSH provides secure remote server access with strong encryption and flexible authentication options. This guide covered package installation, security hardening (custom ports, login attempt limits, disabled root login, key-based authentication), and UFW firewall configuration. Ubuntu 24.04 LTS uses socket-based activation requiring daemon reloads and socket restarts for port changes, while Ubuntu 22.04 LTS uses traditional service restarts. Your Ubuntu server now accepts hardened SSH connections for secure administration, file transfers, and remote command execution.
Relevant Links
Explore the following external resources for additional information related to the OpenSSH package on Ubuntu.
- OpenSSH Official Website: Access comprehensive details about OpenSSH, its features, and the latest updates.
- OpenSSH Portable GitHub Repository: Visit the portable OpenSSH repository for source code, development updates, and contribution opportunities.
- Official OpenSSH Manual: Dive into the manual for in-depth documentation and usage guidelines of OpenSSH.
- Ubuntu OpenSSH Guide: Learn about managing and configuring OpenSSH specifically on Ubuntu systems.
