Master SSH: Essential Tips, Troubleshooting, and Security Hardening

For Linux operations engineers, using SSH to remotely manage servers is routine, and strict SSH configurations are crucial for server security; this article compiles practical SSH experiences and solutions.

1. Install SSH yum install -y openssh-server openssh-clients 2. Fix "Read from socket failed: Connection reset by peer"

# yum remove openssh*
# rm -rf /etc/ssh*
# yum install -y openssh*
# systemctl start sshd.service

3. Display login banner

The banner is defined in the target machine’s /etc/motd file or via the Banner directive in /etc/ssh/sshd_config.

# cat /etc/motd
===================================
|||||||||||||||||||||||||||||||||||
===================================
HOSTNAME: monit-server
IPADDRESS: 192.168.1.15
===================================
IDC Monitoring Server
===================================

4. Password‑less login with ssh-keygen and ssh-copy-id

# ssh-keygen -t rsa   # accept defaults
# ssh-copy-id -i /root/.ssh/id_rsa.pub user@ip

5. Script error: "Pseudo‑terminal will not be allocated because stdin is not a terminal"

Add -t -t to force pseudo‑terminal allocation.

#!/bin/bash
ssh [email protected] "ssh -t -t -p25791 [email protected]"

6. Slow login

Disable DNS lookup and GSSAPI authentication:

UseDNS no
GSSAPIAuthentication no

7. Permission denied (publickey,gssapi‑with‑mic)

Adjust /etc/ssh/sshd_config:

PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yes

Then restart the SSH service.

8. Connection error: address maps to localhost – possible break‑in attempt

Modify the client config /etc/ssh/ssh_config: GSSAPIAuthentication no 9. SCP/rsync not found

yum install openssh-clients
yum install rsync

10. X11 forwarding rejected X11Forwarding yes 11. Session timeout prevention

Server side:

ClientAliveInterval 120
ClientAliveCountMax 3

Client side ( ~/.ssh/config or /etc/ssh/ssh_config): ServerAliveInterval 300 Or set shell variable:

echo "export TMOUT=1000000" >> /root/.bash_profile
source /root/.bash_profile

12. Disable empty‑password login PermitEmptyPasswords no 13. Change default SSH port

# /etc/ssh/sshd_config
Port 2222

Remember to adjust firewall and SELinux accordingly.

14. Restrict login by IP, users, or groups

# /etc/hosts.allow
sshd:192.168.1.*,124.65.197.154:allow
sshd:all:deny

# /etc/ssh/sshd_config
AllowUsers wangshibo guohuihui liuxing
DenyUsers zhangda liqin
AllowGroups wheel ops

Or use PAM rules:

# /etc/pam.d/sshd
auth required pam_listfile.so item=user sense=allow file=/etc/sshusers onerr=fail

15. Disable host‑key checking

StrictHostKeyChecking no
UserKnownHostsFile /dev/null

Or use the command line option -oStrictHostKeyChecking=no.

16. Ansible host‑key checking

# /etc/ansible/ansible.cfg
[defaults]
host_key_checking = False

17. Enforce key‑only login

# ssh-keygen -t rsa
# cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
PasswordAuthentication no

18. SSH service start errors due to unsupported GSSAPI options

Comment out the lines #GSSAPIAuthentication yes and #GSSAPICleanupCredentials yes in /etc/ssh/sshd_config, then restart.

19. Connection timeout settings # ssh -o ConnectTimeout=5 -p22 root@host Or set ClientAliveInterval and ClientAliveCountMax on the server.

20. Public key not working

Ensure correct permissions:

chmod 700 /home/username/.ssh
chmod 600 /home/username/.ssh/authorized_keys
chmod 700 /home/username

After fixing permissions, password‑less SSH works as expected.

These tips collectively help Linux administrators install, configure, secure, and troubleshoot SSH connections effectively.