Harden SSH on AlmaLinux 9

Back up config

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Key settings (/etc/ssh/sshd_config)

Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers deploy alice
Protocol 2
ClientAliveInterval 600
ClientAliveCountMax 0
X11...

Harden SSH on Arch Linux

Back up config

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Key settings (/etc/ssh/sshd_config)

Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers deploy alice
Protocol 2
ClientAliveInterval 600
ClientAliveCountMax 0
X11F...

Harden SSH on Debian 12

Back up config

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Key settings (/etc/ssh/sshd_config)

Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers deploy alice
Protocol 2
ClientAliveInterval 600
ClientAliveCountMax 0
X11Fo...

Harden SSH on Gentoo Linux

Back up config

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Key settings (/etc/ssh/sshd_config)

Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers deploy alice
Protocol 2
ClientAliveInterval 600
ClientAliveCountMax 0
X1...

Harden SSH on NetBSD 10

Back up config

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Key settings (/etc/ssh/sshd_config)

Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers deploy alice
Protocol 2
ClientAliveInterval 600
ClientAliveCountMax 0
X11Fo...

Harden SSH on OpenBSD 7.5

Back up config

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Key settings (/etc/ssh/sshd_config)

Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers deploy alice
Protocol 2
ClientAliveInterval 600
ClientAliveCountMax 0
X11...

Harden SSH on RHEL 9

Back up config

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Key settings (/etc/ssh/sshd_config)

Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers deploy alice
Protocol 2
ClientAliveInterval 600
ClientAliveCountMax 0
X11Forwa...

Harden SSH on Ubuntu 24.04

Back up config

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Key settings (/etc/ssh/sshd_config)

Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers deploy alice
Protocol 2
ClientAliveInterval 600
ClientAliveCountMax 0
X1...

SSH Key-Based Authentication on AlmaLinux 9

Generate key pair (client)

ssh-keygen -t ed25519 -C "[email protected]"

Copy public key to server

ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]

Or manually:

cat ~/.ssh/id_ed25519.pub | ssh user@server \
    "mkdir -p ~/.ssh...

SSH Key-Based Authentication on Arch Linux

Generate key pair (client)

ssh-keygen -t ed25519 -C "[email protected]"

Copy public key to server

ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]

Or manually:

cat ~/.ssh/id_ed25519.pub | ssh user@server \
    "mkdir -p ~/.ssh &...

SSH Key-Based Authentication on Debian 12

Generate key pair (client)

ssh-keygen -t ed25519 -C "[email protected]"

Copy public key to server

ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]

Or manually:

cat ~/.ssh/id_ed25519.pub | ssh user@server \
    "mkdir -p ~/.ssh &&...

SSH Key-Based Authentication on Gentoo Linux

Generate key pair (client)

ssh-keygen -t ed25519 -C "[email protected]"

Copy public key to server

ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]

Or manually:

cat ~/.ssh/id_ed25519.pub | ssh user@server \
    "mkdir -p ~/.ssh...

SSH Key-Based Authentication on NetBSD 10

Generate key pair (client)

ssh-keygen -t ed25519 -C "[email protected]"

Copy public key to server

ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]

Or manually:

cat ~/.ssh/id_ed25519.pub | ssh user@server \
    "mkdir -p ~/.ssh &&...

SSH Key-Based Authentication on OpenBSD 7.5

Generate key pair (client)

ssh-keygen -t ed25519 -C "[email protected]"

Copy public key to server

ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]

Or manually:

cat ~/.ssh/id_ed25519.pub | ssh user@server \
    "mkdir -p ~/.ssh...

SSH Key-Based Authentication on RHEL 9

Generate key pair (client)

ssh-keygen -t ed25519 -C "[email protected]"

Copy public key to server

ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]

Or manually:

cat ~/.ssh/id_ed25519.pub | ssh user@server \
    "mkdir -p ~/.ssh && ch...

SSH Key-Based Authentication on Ubuntu 24.04

Generate key pair (client)

ssh-keygen -t ed25519 -C "[email protected]"

Copy public key to server

ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]

Or manually:

cat ~/.ssh/id_ed25519.pub | ssh user@server \
    "mkdir -p ~/.ssh...

SSH Security Best Practices

At file /etc/ssh/sshd_config:

Disable Root Logins

Best: PermitRootLogin no
Good: PermitRootLogin without-password

wihout-password requires "PubkeyAuthentication yes"

Limit user Logins

AllowUsers somusername1 someusername2

Disable Protocol 1

Protocol 2

U

SSH TOTP MFA on AlmaLinux 9

Step 1 – Install PAM module

dnf install -y google-authenticator-libpam

Step 2 – Configure for each user

google-authenticator
# time-based: y, update file: y, disallow reuse: y, rate limit: y

Scan QR code with an authenticator app (Aegis, Google Authenticator, et...

SSH TOTP MFA on Arch Linux

Step 1 – Install PAM module

pacman -S --noconfirm libpam-google-authenticator

Step 2 – Configure for each user

google-authenticator
# time-based: y, update file: y, disallow reuse: y, rate limit: y

Scan QR code with an authenticator app (Aegis, Google Authenticat...

SSH TOTP MFA on Debian 12

Step 1 – Install PAM module

apt install -y libpam-google-authenticator

Step 2 – Configure for each user

google-authenticator
# time-based: y, update file: y, disallow reuse: y, rate limit: y

Scan QR code with an authenticator app (Aegis, Google Authenticator, etc....

SSH TOTP MFA on Gentoo Linux

Step 1 – Install PAM module

emerge --ask sys-auth/google-authenticator-libpam

Step 2 – Configure for each user

google-authenticator
# time-based: y, update file: y, disallow reuse: y, rate limit: y

Scan QR code with an authenticator app (Aegis, Google Authentic...

SSH TOTP MFA on NetBSD 10

Step 1 – Install PAM module

# Install google-authenticator for NetBSD 10

Step 2 – Configure for each user

google-authenticator
# time-based: y, update file: y, disallow reuse: y, rate limit: y

Scan QR code with an authenticator app (Aegis, Google Authenticator, et...

SSH TOTP MFA on OpenBSD 7.5

Step 1 – Install PAM module

# Install google-authenticator for OpenBSD 7.5

Step 2 – Configure for each user

google-authenticator
# time-based: y, update file: y, disallow reuse: y, rate limit: y

Scan QR code with an authenticator app (Aegis, Google Authenticator...

SSH TOTP MFA on RHEL 9

Step 1 – Install PAM module

dnf install -y google-authenticator-libpam

Step 2 – Configure for each user

google-authenticator
# time-based: y, update file: y, disallow reuse: y, rate limit: y

Scan QR code with an authenticator app (Aegis, Google Authenticator, etc.).