OpenSSH Server on Arch Linux

OpenSSH Server on Arch Linux

OpenSSH allows powerful and convenient way to remotely access remote systems. However it creates a possible security weakness which is one reason it is not installed by default. With proper configuration it can be secured and allows the administration of headless servers servers or other devices.

 

Install OpenSSH

Install from the official repository.

sudo pacman -S openssh

 

Configure OpenSSH

Open the configuration file.

sudo nano /etc/ssh/sshd_config

 

Uncomment and or modify the desired lines in the configuration file and save.

AllowUsers user1 user2
AllowGroups group1 group2
PermitRootLogin no
Port 22

Only certain users can be allowed to login by listing them after AllowUsers. Analogously AllowGroups option allows users in listed groups to login. Root login can be controlled with PermitRootLogin option, yes to allow, no to disallow and without-password to allow only with public key authentication. This should be set to no in almost always for security purposes. Root access can still be gained with the use of sudo or su commands.

Default Port is set to 22 which can make it easier for automated bots to attempt to login. In practice changing the default SSH port does not improve security but can reduce attempted logins which can fill the logs with errors. Using ports above 1024 can actually be detrimental to security as ports below 1024 are restricted to root access while ports above can be listened to by non-root users.

 

For improved security and convenience it is also recommended to configure password-less SSH logins. Optionally also configure print ScreenFetch on SSH login.

 

Run OpenSSH

SSH can be started as a daemon with sshd however this is not recommended in most cases. It is better to start SSH on demand. When a socket service is started it will listen for incoming connections and will only then start the daemon process.

 

Start the socket service.

sudo systemctl start sshd.socket

 

Enable the socket service to run on boot.

sudo systemctl enable sshd.socket

dom