Configuring SSH :

  •   generate keys by command ssh-keygen -t rsa
    And then follow the default configuration

Generating public/private rsa key pair.
Enter file in which to save the key (/home/example/.ssh/id_rsa):
Created directory '/home/example/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/example/.ssh/id_rsa.
Your public key has been saved in /home/example/.ssh/id_rsa.pub.
The key fingerprint is:
5e:3f:6f:57:42:d0:b2:f5:aa:98:53:0f:20:5d:b0:2a example@example

it will generates 2 files in ~/.ssh (id_rsa and id_rsa.pub)

id_rsa : it's a private key ,should be protected.
id_rsa.pub : it's a public key .

  • installing public key
you can use command ssh-copy-id  to copy public key to another computer , or you can also use scp to copy public key.

  • server trust client
if server trust client to access to SSH server without password (password-less log-in)  .

1-server copy client's public key to ~/.ssh/ (ssh-copy-id or scp).
2-change public key name into authorized_keys.
3- change it's permission into 600 (chmod 600 authorized_keys).

  • x11 session forwarding
To allow to run some X window programs such as (Firefox) on a remote computer.

edit sshd_config : nano /etc/ssh/sshd_config 
and check these option :
X11Forwarding yes 
X11DisplayOffset 10 
X11UseLocalhost yes 

Then connect to remote computer by command:
ssh -X username@server

Securing SSH :
  • don't allow root log-in 
edit sshd_config nano/etc/ssh/sshd_config , you will find #PermitRootLogin yes
remove # and change value into no PermitRootLogin no 

  • By TCP Wrapper
Add SSHD to TCP Wrapper to allow and deny hosts to connect to SSHD 
edit /etc/hosts.allow or  /etc/hosts.deny
for example
to deny host to connect to SSH server

nano /etc/hosts.deny

sshd :


  1. Very nice series... I love SSH (who doesn't?) A couple of my favorite SSH things: ssh-copy-key, ~/.ssh/config, molly-guard and sshguard. :D

  2. thank you jason , ssh will completed within 2 days , i think my next post (port forwarding)