Introduction / Why This Is Needed
Manually entering IP addresses, non-standard ports, and passwords every time you connect to remote servers wastes time and increases the risk of errors. Proper configuration of the SSH client in Linux automates the process, enables cryptographic key-based authentication, and stores connection parameters in convenient aliases. After completing this guide, you will have a secure, fast, and convenient working environment for administering remote machines.
Requirements / Preparation
- Access to a terminal with standard user privileges (sudo will only be needed for package installation).
- The
openssh-clientpackage must be available in your distribution's repositories. - Ensure the
~/.sshdirectory exists and has700permissions. If it does not exist, create it:mkdir -p ~/.ssh && chmod 700 ~/.ssh
Step 1: Install and Verify the Client
Most modern distributions have the OpenSSH client pre-installed. Verify this by running:
ssh -V
If the output shows an OpenSSH version (e.g., OpenSSH_9.3p1), installation is not required. For Debian/Ubuntu, install the package manually:
sudo apt update
sudo apt install openssh-client
On Fedora/RHEL, use:
sudo dnf install openssh-clients
Step 2: Generate an Access Key Pair
Key-based authentication is significantly more secure than passwords and protects against brute-force attacks. Create a modern key using the Ed25519 algorithm:
# -t specifies the key type, -C adds a comment (usually an email)
ssh-keygen -t ed25519 -C "your_email@example.com"
When prompted for a path, leave the default (~/.ssh/id_ed25519). Be sure to set a passphrase for additional protection of the private key. The generated public key (*.pub) will need to be copied to the target server's ~/.ssh/authorized_keys file.
Step 3: Create and Configure the config File
Storing connection parameters in one place is more convenient than remembering long commands. Create or open the configuration file:
touch ~/.ssh/config
chmod 600 ~/.ssh/config
nano ~/.ssh/config
Add blocks for your servers. For example:
# Global settings for all connections
Host *
IdentityFile ~/.ssh/id_ed25519
ServerAliveInterval 60
ServerAliveCountMax 3
# Alias for a production server
Host web-prod
HostName 192.168.1.50
User deploy
Port 2222
IdentityFile ~/.ssh/keys/prod_key
Now a connection is made with a single short command: ssh web-prod.
Step 4: Start the SSH Agent and Add Keys
To avoid entering the passphrase for every connection, use ssh-agent, which stores decrypted keys in the memory of the current session. Start it:
eval "$(ssh-agent -s)"
Add the private key to the agent's memory:
ssh-add ~/.ssh/id_ed25519
For automatic startup at login, add the agent initialization and ssh-add lines to your ~/.bashrc or ~/.zshrc, or use built-in password stores (GNOME Keyring / KDE Wallet), which integrate with OpenSSH automatically.
Verify the Result
Ensure the connection establishes without a password prompt and correctly uses the specified parameters:
ssh -v web-prod
The -v flag enables detailed debug logging. Look for lines like Authentications that can continue: publickey and Authentication succeeded (publickey). If the connection is successful and the terminal switches to the remote shell, the setup is complete.
Potential Issues
- Permission denied (publickey): Check the permissions on the
~/.sshdirectory (must be700) and key files (must be600). On the server, the~/.ssh/authorized_keysfile must also have600permissions. - Agent admitted failure to sign using the key: The agent is not running or the key has not been added to its memory. Restart
ssh-agentand runssh-addagain. - Connection refused: Ensure the correct
HostNameandPortare specified in~/.ssh/config, and the server's firewall allows incoming connections on the SSH port. Check if thesshddaemon is running on the remote machine (systemctl status sshd).