SSH Server Setup¶

Install and configure OpenSSH servers for StormTunnel connections.

Prerequisites¶

Root or sudo access to the server
Network access to the server
Firewall permissions for SSH port (default 22)

Operating System Guides¶

Ubuntu/Debian¶

# Install OpenSSH server
sudo apt update
sudo apt install openssh-server -y

# Verify installation
ssh -V

# Check service status
sudo systemctl status sshd

Basic configuration (/etc/ssh/sshd_config):

Port 22
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication yes
AllowTcpForwarding yes
PermitOpen any
LogLevel INFO
MaxAuthTries 6
MaxSessions 10
ClientAliveInterval 300
ClientAliveCountMax 2

Apply changes:

sudo sshd -t          # Test configuration
sudo systemctl restart sshd
sudo systemctl enable sshd

CentOS/RHEL¶

# Install OpenSSH server
sudo yum install openssh-server -y
# Or on RHEL 8/9
sudo dnf install openssh-server -y

# Start and enable
sudo systemctl start sshd
sudo systemctl enable sshd

# Allow through firewall
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

macOS¶

macOS includes OpenSSH. Enable via:

System Settings:

Open System Settings → General → Sharing
Toggle Remote Login on

Command line:

sudo systemsetup -setremotelogin on

SSH Key Authentication¶

Server Setup¶

# Create SSH user (if needed)
sudo useradd -m -s /bin/bash tunneluser
sudo passwd tunneluser

# Set up authorized_keys
sudo su - tunneluser
mkdir -p ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
exit

Add Public Keys¶

From client (easiest):

ssh-copy-id [email protected]

Manual:

Add the public key to /home/tunneluser/.ssh/authorized_keys:

ssh-ed25519 AAAAC3NzaC1lZDI1... user@hostname

Verify permissions:

ls -la /home/tunneluser/.ssh/
# drwx------ .ssh
# -rw------- authorized_keys

Port Forwarding Configuration¶

Edit /etc/ssh/sshd_config:

# Allow local forwarding only (recommended)
AllowTcpForwarding local

# Or allow all forwarding
AllowTcpForwarding yes

# Prevent remote binding
GatewayPorts no

# Restrict to specific ports (optional)
PermitOpen localhost:5432 localhost:3306
# Or allow all
PermitOpen any

Test port forwarding:

# From client
ssh -L 8080:localhost:80 [email protected]

# In another terminal
curl http://localhost:8080

Security Hardening¶

Production Configuration¶

# Authentication - KEY ONLY
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no

# Port forwarding - RESTRICTED
AllowTcpForwarding local
GatewayPorts no
PermitOpen localhost:5432 localhost:3306 localhost:6379

# Logging - VERBOSE
LogLevel VERBOSE
SyslogFacility AUTH

# Limits
MaxAuthTries 3
MaxSessions 5
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2

# Security
X11Forwarding no
AllowAgentForwarding no
PermitTunnel no

# Access control
AllowUsers tunneluser deployuser

Disable Password Authentication¶

Only after verifying SSH key authentication works!

# Edit config
sudo nano /etc/ssh/sshd_config
# Set: PasswordAuthentication no

# Test and restart
sudo sshd -t
sudo systemctl restart sshd

Warning

Keep a terminal session open until you verify key-based access works!

Logging¶

Log Locations¶

OS	Log File
Ubuntu/Debian	`/var/log/auth.log`
CentOS/RHEL	`/var/log/secure`
macOS	`log show --predicate 'process == "sshd"'`

View Logs¶

# Recent SSH activity
sudo tail -50 /var/log/auth.log | grep sshd

# Follow in real-time
sudo tail -f /var/log/auth.log | grep sshd

# Failed attempts
sudo grep "Failed password" /var/log/auth.log

# Successful logins
sudo grep "Accepted publickey" /var/log/auth.log

Troubleshooting¶

Connection Refused¶

# Check if SSH is running
sudo systemctl status sshd

# Check if port is listening
sudo ss -tlnp | grep :22

# Check firewall
sudo ufw status            # Ubuntu
sudo firewall-cmd --list-all  # CentOS

Permission Denied (publickey)¶

# Check authorized_keys permissions
ls -la ~/.ssh/
# Fix if needed
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

# Check ownership
sudo chown -R tunneluser:tunneluser /home/tunneluser/.ssh

# Test with verbose output
ssh -vvv [email protected]

Port Forwarding Not Working¶

# Check sshd_config
sudo grep -i allowtcpforwarding /etc/ssh/sshd_config
# Should be: AllowTcpForwarding yes or local

# Check if target service is running
sudo ss -tlnp | grep 5432

Configuration Examples¶

Development Server¶

Port 22
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication yes
AllowTcpForwarding yes
PermitOpen any
LogLevel INFO
MaxAuthTries 6
MaxSessions 10

Staging Server¶

Port 22
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
AllowTcpForwarding local
PermitOpen localhost:5432 localhost:3306
LogLevel VERBOSE
MaxAuthTries 3
MaxSessions 5
AllowUsers deployuser tunneluser

Production Server¶

Port 22
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
AllowTcpForwarding local
GatewayPorts no
PermitOpen localhost:5432 localhost:3306 localhost:6379
X11Forwarding no
AllowAgentForwarding no
PermitTunnel no
LogLevel VERBOSE
MaxAuthTries 3
MaxSessions 3
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2
AllowGroups sshusers
UsePAM yes

Testing Checklist¶

After configuration:

SSH service running (sudo systemctl status sshd)
Firewall allows SSH
SSH key authentication works
Password authentication disabled (if production)
Port forwarding works
Logs are being written
Configuration valid (sudo sshd -t)

Next Steps¶

Server Security - Hardening, 2FA, fail2ban
Monitoring & Logging - Centralized logging, alerts
AWS Configuration - Session Manager setup