SSH Administration on Linux — Server, Keys, Hardening, SCP, SFTP & Tunneling
Posted: Sat Jun 13, 2026 1:14 pm
SSH Administration on Linux — Server, Keys, Hardening, SCP, SFTP & Tunneling
A clear, practical guide to secure remote access and file transfer, with copy-ready commands (AlmaLinux 9 / RHEL 9)
─────────────────────────────────────────
1 SSH Server — getting it running
The server side is the sshd service (OpenSSH daemon). It's usually pre-installed on AlmaLinux 9.
Install, enable and check
Open the firewall (firewalld on AlmaLinux 9)
Connect from another machine
Tip: The main config file is /etc/ssh/sshd_config. After any change, test it with "sshd -t" before restarting, so a typo doesn't lock you out.
─────────────────────────────────────────
2 Key Authentication — log in without passwords
Instead of typing a password, you use a key pair: a private key that stays secret on your machine, and a public key you place on the server. Think of it as a lock (public) and the only matching key (private). It's far more secure than a password and can't be brute-forced.
Step 1 — Generate a key pair (on your client)
Step 2 — Copy the public key to the server
Step 3 — Test it
WARNING: Never share or copy your PRIVATE key (the file without ".pub"). Only the .pub file goes on servers. Protect the private key with a passphrase so a stolen laptop doesn't equal a stolen server.
─────────────────────────────────────────
3 SSH Hardening — lock the front door
Once key login works, tighten the server. Edit /etc/ssh/sshd_config and set these:
Recommended settings
If you change the port, tell SELinux and firewalld first
Apply changes safely
WARNING — don't lock yourself out: Before setting PasswordAuthentication no, make 100% sure key login already works. Keep a second SSH session open while testing, so if something breaks you still have a way back in.
─────────────────────────────────────────
4 SCP — copy files quickly
SCP copies files over SSH in a single command — great for one-off transfers.
Copy TO the server (upload)
Copy FROM the server (download)
Copy a whole folder
Tip: scp uses capital -P for the port, while ssh uses lowercase -p. Easy to mix up.
─────────────────────────────────────────
5 SFTP — interactive file transfer
SFTP is like an FTP session but fully encrypted over SSH. Good when you want to browse and move several files interactively.
Start a session and move around
Tip: Commands starting with "l" (lls, lcd) act on your LOCAL machine; the others act on the remote server.
─────────────────────────────────────────
6 SSH Tunneling — forwarding traffic securely
Tunneling wraps other network traffic inside the encrypted SSH connection. Useful for reaching services that aren't exposed to the internet.
Local forwarding — reach a remote service as if it were local
Remote forwarding — expose a local service to the remote side
Dynamic forwarding — a quick SOCKS proxy
Tip: Remember the directions: -L = pull a remote service toward you (Local). -R = push a local service out to the remote (Remote). -D = a flexible SOCKS proxy (Dynamic).
─────────────────────────────────────────
Quick Reference Cheat Sheet
How do you harden SSH on your boxes — custom port, keys only, fail2ban, allowlists? Share your config below.
A clear, practical guide to secure remote access and file transfer, with copy-ready commands (AlmaLinux 9 / RHEL 9)
─────────────────────────────────────────
─────────────────────────────────────────What is SSH, in plain words?
SSH (Secure Shell) is an encrypted tunnel between two machines. It lets you log in to a remote server's command line, copy files, and forward network traffic — all scrambled so nobody on the network can read it. It's the standard way every Linux server is administered remotely.
1 SSH Server — getting it running
The server side is the sshd service (OpenSSH daemon). It's usually pre-installed on AlmaLinux 9.
Install, enable and check
Code: Select all
dnf install -y openssh-server # install if missing
systemctl enable --now sshd # start now + at every boot
systemctl status sshd # confirm it's runningCode: Select all
firewall-cmd --permanent --add-service=ssh
firewall-cmd --reloadCode: Select all
ssh username@192.168.1.50 # default port 22
ssh -p 2222 username@192.168.1.50 # if you changed the port─────────────────────────────────────────
2 Key Authentication — log in without passwords
Instead of typing a password, you use a key pair: a private key that stays secret on your machine, and a public key you place on the server. Think of it as a lock (public) and the only matching key (private). It's far more secure than a password and can't be brute-forced.
Step 1 — Generate a key pair (on your client)
Code: Select all
ssh-keygen -t ed25519 -C "you@example.com"
# Ed25519 is modern and strong. Accept the default path, set a passphrase.Code: Select all
ssh-copy-id -p 22 username@192.168.1.50
# This appends your public key to the server's ~/.ssh/authorized_keysCode: Select all
ssh username@192.168.1.50 # should log in using the key, no password─────────────────────────────────────────
3 SSH Hardening — lock the front door
Once key login works, tighten the server. Edit /etc/ssh/sshd_config and set these:
Recommended settings
Code: Select all
PermitRootLogin no # never log in directly as root
PasswordAuthentication no # keys only - disables password guessing
PubkeyAuthentication yes # allow key auth
Port 2222 # optional: move off the default 22
AllowUsers murali admin # only these users may log in
MaxAuthTries 3 # fewer guesses before disconnect
ClientAliveInterval 300 # drop idle sessions after 5 min
X11Forwarding no # off unless you need GUI forwardingCode: Select all
semanage port -a -t ssh_port_t -p tcp 2222 # SELinux: allow new port
firewall-cmd --permanent --add-port=2222/tcp
firewall-cmd --reloadCode: Select all
sshd -t # syntax-check the config FIRST
systemctl restart sshd─────────────────────────────────────────
4 SCP — copy files quickly
SCP copies files over SSH in a single command — great for one-off transfers.
Copy TO the server (upload)
Code: Select all
scp file.txt username@192.168.1.50:/home/username/
scp -P 2222 file.txt username@192.168.1.50:/tmp/ # note: capital -P for portCode: Select all
scp username@192.168.1.50:/var/log/app.log ./Code: Select all
scp -r myfolder/ username@192.168.1.50:/home/username/─────────────────────────────────────────
5 SFTP — interactive file transfer
SFTP is like an FTP session but fully encrypted over SSH. Good when you want to browse and move several files interactively.
Start a session and move around
Code: Select all
sftp username@192.168.1.50
# inside the sftp prompt:
ls # list remote files
lls # list LOCAL files
cd /var/www # change remote directory
get report.pdf # download a file
put backup.tar.gz # upload a file
bye # quit─────────────────────────────────────────
6 SSH Tunneling — forwarding traffic securely
Tunneling wraps other network traffic inside the encrypted SSH connection. Useful for reaching services that aren't exposed to the internet.
Local forwarding — reach a remote service as if it were local
Code: Select all
# "Make the server's database (port 3306) appear on my localhost:3306"
ssh -L 3306:localhost:3306 username@192.168.1.50
# Now connect a local tool to 127.0.0.1:3306Code: Select all
# "Let the server reach my local app (port 8080) via its own localhost:8080"
ssh -R 8080:localhost:8080 username@192.168.1.50Code: Select all
ssh -D 1080 username@192.168.1.50
# Point your browser's SOCKS proxy at 127.0.0.1:1080 to browse via the server─────────────────────────────────────────
Quick Reference Cheat Sheet
- Connect — ssh user@host (use -p PORT)
- Enable server — systemctl enable --now sshd
- Open firewall — firewall-cmd --permanent --add-service=ssh ; --reload
- Make key — ssh-keygen -t ed25519
- Install key — ssh-copy-id user@host
- Test config — sshd -t
- Harden — PermitRootLogin no ; PasswordAuthentication no
- Change port (SELinux) — semanage port -a -t ssh_port_t -p tcp 2222
- Upload (scp) — scp file user@host:/path/ (use -P PORT)
- Download (scp) — scp user@host:/path/file ./
- Interactive transfer — sftp user@host
- Local tunnel — ssh -L 3306:localhost:3306 user@host
- Remote tunnel — ssh -R 8080:localhost:8080 user@host
- SOCKS proxy — ssh -D 1080 user@host
How do you harden SSH on your boxes — custom port, keys only, fail2ban, allowlists? Share your config below.