Master SSH, Sudo, PAM, and System Limits on Ubuntu: A Practical Guide

SSH Basics and Configuration

.ssh/known_hosts stores SSH host fingerprints. The SSH daemon configuration file is /etc/ssh/sshd_config, viewable with man 5 sshd_config. Change a password with echo root:1111|chapasswd and generate a 9‑character random password using openssl rand -base64 9.

Port 22                # Production: consider changing
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes   # Ubuntu defaults to disallowing root SSH
StrictModes yes        # Checks ownership and permissions of .ssh files
MaxAuthTries 6         # Maximum authentication attempts per connection
MaxSessions 10         # Maximum sessions per connection
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes
GatewayPorts no
ClientAliveInterval 10
ClientAliveCountMax 3
UseDNS yes            # Set to no for faster connections
GSSAPIAuthentication yes
# Limit login users
AllowUsers user1 user2 user3
DenyUsers user1 user2 user3
AllowGroups g1 g2
DenyGroups g1 g2

To enable root remote SSH login on Ubuntu, edit /etc/ssh/sshd_config, comment out or replace PermitRootLogin prohibit-password with PermitRootLogin yes, then restart the service:

vim /etc/ssh/sshd_config
# PermitRootLogin yes
systemctl restart sshd

SSH Connection Tips

SSH stores the remote host's public key and fingerprint in .ssh/known_hosts. To bypass host key checking, set StrictHostKeyChecking=no in the client config or use the command‑line option.

Automating SSH Login with sshpass

sshpass -p 123465 ssh -o StrictHostKeyChecking=no 10.1.1.1 'hostname'

Public‑Key Authentication

Generate a key pair with ssh-keygen, copy the public key to a remote host using ssh-copy-id, and optionally distribute the same key pair to multiple hosts via rsync:

ssh-keygen
ssh-copy-id [email protected]
sshpass -p $pass ssh-copy-id -o StrictHostKeyChecking=no 127.0.0.1
rsync -a .ssh 10.0.0.X:/root/

File Transfer with scp

# Copy a file to a remote host
scp file.txt user@remote_host:/path/to/destination
# Copy a file from a remote host
scp user@remote_host:/path/to/file.txt /local/destination
# Copy a directory recursively
scp -r /local/directory user@remote_host:/path/to/destination
# Use a custom SSH port
scp -P 2222 file.txt user@remote_host:/path/to/destination
# Compress and limit bandwidth
scp -C -l 1000 file.txt user@remote_host:/path/to/destination

Advanced Synchronization with rsync

-a, --archive   # Archive mode, recursive, preserve attributes
-v, --verbose   # Verbose output
-r, --recursive # Recurse into directories
-u, --update    # Skip files that are newer on the receiver
-n, --dry-run   # Show what would be done without making changes
-z, --compress   # Compress file data during the transfer
-P, --partial --progress # Show progress and allow resumption
-e, --rsh=COMMAND # Specify remote shell, e.g., ssh -p 22
--delete        # Delete files on the receiver that are not on the sender
--exclude=PATTERN # Exclude files matching pattern

Configuring sudo Privileges

The sudoers file ( /etc/sudoers) defines who can run what commands as which users. Example entries:

root ALL=(ALL) ALL
wang 10.0.0.1=(root) NOPASSWD: /usr/bin/mount /dev/cdrom /mnt
User_Alias Z=ZZ,LL
USER_Alias D=tom
Host_Alias S=www.1.com
Runas_Alias O=root
Cmnd_Alias SY=/bin/chown,/bin/chmod
Z S=SY
Defaults:wang runas_default=tom
wang ALL=(tom,jerry) ALL
wang 192.168.1.6,192.168.1.8=(root) /usr/sbin/,!/usr/sbin/useradd

PAM (Pluggable Authentication Modules)

PAM modules reside in /lib64/security/ and are configured via files in /etc/pam.d/ and /etc/security/. The configuration format is:

application  type  control  module-path  arguments

Common module types:

auth : User authentication

account : Account management (e.g., lockout checks)

password : Password changes

session : Session setup and teardown

Control flags include required, sufficient, requisite, optional, and include.

Typical modules:

pam_nologin.so : Prevents non‑root users from logging in when /etc/nologin exists.

pam_limits.so : Enforces resource limits defined in /etc/security/limits.conf and /etc/security/limits.d/.

Resource Limits with limits.conf and ulimit

Example limits.conf entries:

*        soft    nofile          1024
*        hard    nofile          4096
foo      soft    nproc           50
foo      hard    nproc           100
@admin   hard    core            0
*        soft    as              500000
*        hard    as              1000000

The ulimit command can query or set these limits, e.g., ulimit -n 1024 for open files, ulimit -u 100 for max user processes, etc.

Time Synchronization with chrony

Configure /etc/chrony.conf:

server ntp.alicyuncom iburst
allow 0.0.0.0/0
local stratum 10

Check sources with chronyc sources -v or use ntpdate $ip on older systems.