These are my notes from setting up ssh for home laptop-to-laptop use.
My ssh server machine (the one I want to ssh into)
is running Ubuntu 22.04 and my ssh client (the one I want to ssh from)
is running macOS Sonoma 14.6. "You" in these notes is future me, after I've
forgotten everything I learned here. But I hope you find useful things here too.

Ultimately I want to be able to set up some
home servers for wireless devices and robotics experiments, but that's still
a ways off

Is ssh on my machine? How about sshd?

Test whether you have the capability to open a secure shell with
an ssh-capable machine.

file /etc/ssh/ssh_config

If ssh is installed you'll get /etc/ssh/ssh_config: ASCII text

If you get No such file or directory you'll need to install it.

The process is similar for checking whether you have the capability to
be an ssh server (a.k.a. host an ssh connection, run ssh daemon).

file /etc/ssh/sshd_config

Install ssh and sshd on Ubuntu

To add Openssh client (ssh) and server (sshd) to an Ubuntu system

sudo apt install openssh-client

sudo apt install openssh-server

Start up sshd on the ssh server Linux machine

sudo systemctl enable --now sshd

Configure ssh

All the configuration is done by modifying /etc/ssh/sshd_config.

Before you start making changes, it's helpful to make a copy of the original file.
That way when you make a misstep, you always have a reset button available.

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

After you make changes, first run 

sudo sshd -T -f /etc/ssh/sshd_config

to run an extended test (-T) on the config file (-f).

(Re)start sshd

Every time you make a change to config, a restart is necessary before it takes effect.

sudo systemctl restart sshd

Security measures

There are a few things you can do to make your setup more secure against
anyone who might want to come and mess around where they're not wanted.

  1. Use an ssh key instead of the server account password.

  2. Use a passphrase with you ssh key.

  3. Use a port other than 22.

  4. Use an allow list.

  5. Don't allow root login.

  6. Enable verbose logging. So you can check on anything hinky.

  7. Periodically update sshd.

1. Use ssh keys

and

2. Use a passphrase

If you don't already have a key on the client machine

ssh-keygen -t rsa -b 4096

This creates a 4096-bit
RSA-encrypted
public/private key pair.

During the process you will be prompted for a passphrase. Choose one.

By default, the public key is saved in the file ~/.ssh/id_rsa.pub,
while ~/.ssh/id_rsa is the private key. It's OK to choose a different name.
It's OK to have as many RSA keys as you want.
Now copy the public key file (like id_rsa.pub) to the remote host and append it
to ~/.ssh/authorized_keys by running

ssh-copy-id -i <$PUBLIC_KEY_PATH> <$USERNAME_ON_HOST>@<$HOST_IP>

for example

ssh-copy-id -i ~/.ssh/id_rsa.pub brohrer@192.168.1.10

To enforce the use of ssh keys all the time.

In /etc/ssh/ssh_config:

PasswordAuthentication no

3. Choose a non-typical port

By default and historical convention, ssh operates on port 22.
If you want to make your ssh setup slightly harder to find, you can operate
on a different port, say 43689 or any
randomly generated port.

In /etc/ssh/ssh_config uncomment the line that reads

#Port 22

Modify it thus

Port 43689

4. Use an allow list

Explicitly list the IP addresses that may be connecting. Uncomment and modify
the ListenAddress lines to read something like:

In /etc/ssh/ssh_config:

ListenAddress 0.0.0.0
ListenAddress 192.168.1.10
ListenAddress 192.168.1.11

depending on the IP addresses in your network. Note that if your devices
have dynamically-allocated addresses (DHCP), you'll need to go into their wireless
settings and change them to have a consistent IP address.

5. Disallow root login

This is to protect you from ssh'ing in as root@192.... and wreaking all kinds of
havoc on your own ssh server. You can still sudo and do what needs doing.
It's just good hygeine.

PermitRootLogin no

6. Enable a verbose logging level

LogLevel INFO

To inspect the logs at any time

 cat /var/log/auth.log

7. Keep it updated

sudo apt update
sudo apt install openssh-server

Resources

A beginner’s guide to SSH for remote connection on Linux
By sudo apt update Seth Kenlon
September 7, 2020
https://opensource.com/article/20/9/ssh

SSH Copy ID for Copying SSH Keys to Servers
By ssh Academy
https://www.ssh.com/academy/ssh/copy-id

How To Harden OpenSSH on Ubuntu 20.04
by Jamon Camisso
November 8, 2021
https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-20-04

The Complete Guide to the sshd_config File in Linux
by Linux Code
February 25, 2024
https://linuxhaxor.net/code/sshd-config-file-complete-guide-for-linux.html

sshd man page
updated September 19, 2023
https://www.man7.org/linux/man-pages/man8/sshd.8.html