SSH questions are common in Linux forums. Some important points to remember:
- There are two ends of the SSH connection: the local client and the remote server. The words server and client are used with respect to the process and not the computers.
- The default SSH server configuration usually is stored in
- The default SSH client configuration usually is stored in
- Some client defaults may be overridden in the user’s
- To shorten the full commands needed, aliases can be created in
- The remote account name is important when connecting. Often people need to connect from one user account into a different user account.
- When practical disable logging in as root. This is not always possible, such as with many embedded devices.
- When practical use key pairs rather than passwords. This is not always possible, such as with many embedded devices.
- The public key is always the key to copy elsewhere. The private key is never copied anywhere.
- The intended user should generate the key pair rather than another person. If another person generates the key pair then that person has access to the private key.
- Computers can be stolen or compromised. A common way to ensure a private key cannot be compromised is with a pass phrase.
- Usually public keys are stored in the remote account
- Multiple key pairs may be used with multiple remote systems.
ssh-copy-idcan be used to copy public keys to a remote account, but if the remote SSH server is configured to only use key pairs the command no longer will function when there is no public key already uploaded.
- When practical avoid deprecated ciphers.
- Changing the default port of 22 is playing whack-a-mole. A better defense against bots and script kiddies is key pairs and firewall rules that drop rogue password attempts.