OpenSSH allows powerful and convenient way to remotely access remote systems. However it creates a possible security weakness which is one reason it is not installed by default. With proper configuration it can be secured and allows the administration of headless servers servers or other devices.
Install from the official repository.
sudo pacman -S openssh
Open the configuration file.
sudo nano /etc/ssh/sshd_config
Uncomment and or modify the desired lines in the configuration file and save.
AllowUsers user1 user2 AllowGroups group1 group2 PermitRootLogin no Port 22
Only certain users can be allowed to login by listing them after
AllowGroups option allows users in listed groups to login. Root login can be controlled with
yes to allow,
no to disallow and
without-password to allow only with public key authentication. This should be set to
no in almost always for security purposes. Root access can still be gained with the use of
Port is set to
22 which can make it easier for automated bots to attempt to login. In practice changing the default SSH port does not improve security but can reduce attempted logins which can fill the logs with errors. Using ports above
1024 can actually be detrimental to security as ports below
1024 are restricted to root access while ports above can be listened to by non-root users.
SSH can be started as a daemon with sshd however this is not recommended in most cases. It is better to start SSH on demand. When a socket service is started it will listen for incoming connections and will only then start the daemon process.
Start the socket service.
sudo systemctl start sshd.socket
Enable the socket service to run on boot.
sudo systemctl enable sshd.socket