How to Set Up an SSH Server on Arch Linux

Secure Shell (SSH) is an essential tool for remotely managing servers and transferring files securely across the network. Setting up an SSH server on Arch Linux allows you to remotely access your machine from anywhere with encryption, authentication, and flexibility.

This guide walks you through every step needed to configure a fully functional SSH server on Arch Linux, including installation, configuration, firewall setup, and security best practices.

Why Use SSH?

Before diving into the setup process, it’s worth understanding why SSH is so widely used:

• Encrypted communication: All data is encrypted during transfer.
• Remote access: You can control your system from another device or location.
• File transfers: Securely transfer files using scp, sftp, or SSHFS.
• Tunneling and forwarding: Port forwarding and tunneling through SSH can enhance security or bypass firewalls.
• Key-based authentication: More secure than traditional passwords.

Prerequisites

Before starting, make sure:

• You have an Arch Linux system up and running.
• You have sudo or root privileges.
• Your system has access to the internet (for package installation).

Step 1: Install OpenSSH

Arch Linux doesn’t come with an SSH server installed by default. The most common implementation is OpenSSH, which includes both client and server utilities.

Install the package

sudo pacman -S openssh

This installs the following key components:

• sshd (SSH Daemon): The actual SSH server.
• ssh: The SSH client for connecting to other machines.
• scp, sftp: Tools for secure file transfer.

Step 2: Enable and Start the SSH Daemon

Once installed, you’ll need to start the SSH server and optionally enable it to launch at boot.

Start sshd immediately

sudo systemctl start sshd

Enable sshd to start on boot

sudo systemctl enable sshd

Check the status

sudo systemctl status sshd

You should see output indicating that the SSH daemon is active and running.

Step 3: Configure the SSH Server (Optional but Recommended)

The default SSH server configuration file is located at:

/etc/ssh/sshd_config

Before modifying it, it’s a good idea to back up the original configuration:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Common and recommended tweaks

Edit the file using your preferred text editor:

sudo nano /etc/ssh/sshd_config

Here are some options worth modifying:

1. Change the default port (for basic security through obscurity)

Port 2222

2. Disable root login (highly recommended)

PermitRootLogin no

3. Allow only specific users

AllowUsers your_username

4. Disable password authentication (after setting up keys)

PasswordAuthentication no

5. Limit authentication attempts

MaxAuthTries 3

After editing, save the file and restart the SSH daemon:

sudo systemctl restart sshd

Step 4: Configure the Firewall (if enabled)

If you’re using ufw or iptables, you’ll need to allow SSH traffic.

Using ufw

sudo pacman -S ufw
sudo ufw allow 22/tcp
sudo ufw enable

Or if you changed the port:

sudo ufw allow 2222/tcp

Using iptables (example)

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Make sure to save your iptables rules if using them.

Step 5: Test the SSH Connection

From a remote client, use the following command:

ssh username@your_server_ip

Or if you changed the port:

ssh -p 2222 username@your_server_ip

If all goes well, you’ll be prompted for a password (unless using key authentication), and then logged into your Arch Linux machine.

Step 6: Set Up Key-Based Authentication (Recommended)

Using SSH keys is more secure than passwords and allows automated logins for scripts.

On the client (your local machine)

Generate a key pair if you don’t have one:

ssh-keygen -t ed25519 -C "your_email@example.com"

This creates:

• Private key: ~/.ssh/id_ed25519
• Public key: ~/.ssh/id_ed25519.pub

Copy the public key to the server

ssh-copy-id username@your_server_ip

Alternatively, manually copy the contents of id_ed25519.pub into the server’s:

~/.ssh/authorized_keys

Make sure the permissions are correct:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Now, you can log in without entering a password:

ssh username@your_server_ip

Step 7: Harden Your SSH Server

After setting up a basic SSH server, it’s important to improve its security:

1. Use a non-default port

As shown earlier, changing the port from 22 to something like 2222 can reduce scanning noise.

2. Disable password login

Once key-based auth is working:

PasswordAuthentication no

Then restart the SSH daemon.

3. Use a firewall to allow only specific IP addresses

If you always connect from a known IP range:

sudo ufw allow from 203.0.113.0/24 to any port 2222

4. Install Fail2Ban (not available in official repos, use AUR)

Fail2Ban can block brute force attempts:

yay -S fail2ban
sudo systemctl enable --now fail2ban

You can then configure it to watch /var/log/auth.log or journalctl logs.

Step 8: Troubleshooting

If something doesn’t work, here are some common things to check:

Check SSH daemon status

sudo systemctl status sshd

Check logs

sudo journalctl -xeu sshd

Use verbose output on the client

ssh -vvv username@your_server_ip

This will help pinpoint connection problems.

Bonus: SSH Quality-of-Life Tips

Use SSH config file on client

You can simplify connection commands by editing:

~/.ssh/config

Example:

Host myserver
    HostName 192.0.2.5
    User archuser
    Port 2222
    IdentityFile ~/.ssh/id_ed25519

Now, just run:

ssh myserver

Mount remote filesystems using SSHFS

sudo pacman -S sshfs
mkdir ~/remote
sshfs user@your_server_ip:/home/user ~/remote

Conclusion

Setting up an SSH server on Arch Linux is relatively straightforward with OpenSSH, but there are many layers you can configure to enhance security, usability, and maintainability. By following the steps in this guide, you’ve learned how to install the server, enable it, configure secure authentication methods, and protect your system against unauthorized access.

SSH is not just a remote access tool—it’s a foundational piece of modern Linux system administration. Once configured properly, it offers a robust and secure way to manage your Arch Linux system remotely and efficiently.

If you’re managing multiple systems or deploying automation tools like Ansible, Puppet, or rsync, having SSH properly configured is essential. The more you customize it to your environment, the more power and control it gives you—without sacrificing security.