Mastering SSH, Sudo, PAM, and System Limits on Ubuntu

SSH configuration and common parameters

Key locations and commands for SSH on Ubuntu include .ssh/known_hosts for stored host fingerprints, /etc/ssh/sshd_config for the server configuration, and man 5 sshd_config for reference. Useful one‑liner commands are shown below.

Port 22                     # production may change
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes      # Ubuntu defaults to disallow root login
StrictModes yes           # checks ownership and permissions of .ssh files
MaxAuthTries 6            # maximum authentication attempts
MaxSessions 10            # max sessions per connection
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes
GatewayPorts no
ClientAliveInterval 10   # seconds
ClientAliveCountMax 3
UseDNS yes               # set to no for faster connections
GSSAPIAuthentication yes
# Limit login users
AllowUsers user1 user2 user3
DenyUsers baduser
AllowGroups devops admins
DenyGroups guests

Enabling root remote SSH login on Ubuntu

Edit the SSH daemon configuration and restart the service:

# Edit configuration
vim /etc/ssh/sshd_config
# Comment out or remove the line "PermitRootLogin prohibit-password"
PermitRootLogin yes
# Apply changes
systemctl restart sshd

SSH key exchange and automation

Generate a key pair and distribute the public key to remote hosts. The sshpass utility can automate password entry.

# Generate key pair
ssh-keygen
# Copy public key to remote host
ssh-copy-id [email protected]
# Automated login with sshpass
sshpass -p 123456 ssh -o StrictHostKeyChecking=no 10.1.1.1 'hostname'

For bulk deployment, copy the same key pair to multiple machines:

# Copy private key directory to another host
rsync -a .ssh 10.0.0.X:/root/

File transfer with SCP and rsync

Typical SCP commands for copying files and directories, including custom ports and compression:

# Copy a file to a remote host
scp file.txt user@remote_host:/path/to/destination
# Copy a directory recursively
scp -r /local/dir user@remote_host:/path/to/destination
# Use a non‑standard SSH port
scp -P 2222 file.txt user@remote_host:/path/to/destination
# Enable compression and limit bandwidth
scp -C -l 1000 file.txt user@remote_host:/path/to/destination

Rsync offers richer options for efficient synchronization:

# Archive mode (preserves attributes)
rsync -a source/ destination/
# Verbose output
rsync -av source/ destination/
# Recursive copy
rsync -r source/ destination/
# Update only newer files
rsync -u source/ destination/
# Dry run to preview actions
rsync -nav source/ destination/
# Enable compression
rsync -az source/ destination/
# Show progress and allow partial transfers
rsync -avP source/ destination/
# Use a specific remote shell
rsync -av -e "ssh -p 22" source/ user@remote:/destination
# Delete files on destination that are absent on source
rsync -av --delete source/ destination/
# Exclude patterns
rsync -av --exclude='*.log' source/ destination/

Sudoers configuration

The /etc/sudoers file defines which users may execute commands as other users. Example entries:

# Allow root full access
root ALL=(ALL) ALL
# Grant user wang password‑less sudo for specific commands on a host
wang 10.0.0.1=(root) NOPASSWD: /usr/bin/mount /dev/cdrom /mnt
# Define aliases
User_Alias   Z=ZZ,LL
User_Alias   D=tom
Host_Alias   S=www.1.com
Runas_Alias  O=root
Cmnd_Alias   SY=/bin/chown,/bin/chmod
Z S=SY
# Set default runas user for wang
Defaults:wang runas_default=tom
# Run a command as another user
wang$ sudo -u jerry cmd

PAM modules and configuration

Pluggable Authentication Modules (PAM) are configured under /etc/pam.d/ and /lib64/security/. A PAM line follows the format:

application  type  control  module-path  arguments

Common module types:

auth : user authentication

account : account management (e.g., lock status)

password : password changes

session : actions on login/logout

Control flags determine how failures are handled: required: all such modules must succeed sufficient: success short‑circuits the stack requisite: failure aborts immediately optional: result is ignored unless no other modules apply include: include another configuration file

Typical modules: pam_nologin.so – blocks non‑root logins when /etc/nologin exists pam_limits.so – enforces resource limits defined in /etc/security/limits.conf and

/etc/security/limits.d/

Resource limits with pam_limits and ulimit

The pam_limits.so module reads limits from /etc/security/limits.conf. Example entries:

# Limit all users to 1024 open files (soft) and 4096 (hard)
*        soft    nofile          1024
*        hard    nofile          4096
# Limit user foo to 50 processes (soft) and 100 (hard)
foo      soft    nproc           50
foo      hard    nproc           100
# Disallow core dumps for group admin
@admin   hard    core            0
# Set virtual memory limits
*        soft    as              500000
*        hard    as              1000000

Systemd services use separate configuration files ( /etc/systemd/system.conf, /etc/systemd/user.conf) and their .d/ drop‑in directories.

The ulimit command can query or set limits for the current shell:

-H   set hard limit
-S   set soft limit
-a   show all limits
-c size   core file size (blocks)
-d size   data segment size (KB)
-f size   max file size (blocks)
-l size   locked‑in‑memory size (KB)
-m size   resident set size (KB)
-n size   max open file descriptors
-u size   max user processes
-v size   virtual memory (KB)
# Use "unlimited" for no limit

Chrony time synchronization

Chrony replaces traditional NTP on many modern Linux distributions. Basic configuration in /etc/chrony.conf:

server ntp.alicyuncom iburst   # upstream NTP server
allow 0.0.0.0/0               # allow any client to sync
local stratum 10               # serve time when offline

Check sources with: chronyc sources -v Older systems may still use ntpdate $ip for one‑off synchronization.