SSH client
The ssh command on Solaris lets you connect securely to remote servers using username/password or keys.
Solaris · SSH
Solaris · Lesson 8
SSH
Secure remote login using SSH in Solaris. Key based authentication setup. Troubleshoot SSH connectivity. Production security hardening.
Why SSH is critical for administrators
Secure Shell (SSH) is the default way to manage Solaris and most Unix-like systems remotely. If SSH is down or misconfigured, you may lose remote access to servers completely, so it is important to understand both the SSH client and the SSH daemon (sshd).
In this lesson we focus on checking the SSH service status, making basic connections, setting up key-based authentication and doing simple, safe sshd configuration changes.
SSH concepts you should know
SSH daemon (sshd)
The sshd service listens on port 22 and accepts incoming connections. On Solaris 11, it is managed via SMF.
Key-based authentication
SSH keys allow you to log in without typing passwords, and are safer when used correctly with restricted permissions.
Step-by-step SSH command flows
Use these examples in your Solaris lab: one system acting as the client and another (or the same VM) acting as the SSH server.
1. Check if SSH service is running
On Solaris 11, the SSH daemon (sshd) is managed by SMF. Use svcs to verify its state.
terminal — ssh
solaris-lab[root@solaris ~]# svcs -a | grep ssh
online 10:20:31 svc:/network/ssh:default
[root@solaris ~]# svcs svc:/network/ssh:default
STATE STIME FMRI
online 10:20:31 svc:/network/ssh:default
2. Connect to a remote server using SSH
Use the ssh client to log in to another system. Here we connect as user 'oracle' to host dbserver.
terminal — ssh
solaris-lab[root@solaris ~]# ssh oracle@dbserver
The authenticity of host 'dbserver (192.168.1.20)' can't be established.
RSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'dbserver,192.168.1.20' (RSA) to the list of known hosts.
oracle@dbserver's password: ********
[oracle@dbserver ~]$ hostname
dbserver
[oracle@dbserver ~]$ exit
logout
Connection to dbserver closed.
[root@solaris ~]#
3. Generate an SSH key pair for passwordless login
Create a key pair for your Solaris user and copy the public key to a remote server.
terminal — ssh
solaris-lab[root@solaris ~]# ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
[root@solaris ~]# ssh-copy-id oracle@dbserver
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
oracle@dbserver's password: ********
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'oracle@dbserver'"
4. Test key-based login (no password prompt)
After copying the key, SSH should authenticate using the private key automatically.
terminal — ssh
solaris-lab[root@solaris ~]# ssh oracle@dbserver
Last login: Wed Jan 11 11:45:12 2025 from solaris-lab
[oracle@dbserver ~]$ whoami
oracle
[oracle@dbserver ~]$ exit
logout
Connection to dbserver closed.
[root@solaris ~]#
5. View and adjust SSH daemon configuration
Always make a backup before editing sshd_config, then use vi to make small, controlled changes.
terminal — ssh
solaris-lab[root@solaris ~]# cd /etc/ssh
[root@solaris /etc/ssh]# cp sshd_config sshd_config.bak
[root@solaris /etc/ssh]# vi sshd_config
# (inside vi)
# Example changes:
# - Disable root login with password:
# PermitRootLogin no
#
# - Ensure protocol v2:
# Protocol 2
:wq # save and exit
[root@solaris /etc/ssh]# diff sshd_config.bak sshd_config
< PermitRootLogin yes
> PermitRootLogin no
[root@solaris /etc/ssh]# svcadm restart ssh
Security best practices for SSH on Solaris
Hardening sshd
- Disable direct root login where possible (PermitRootLogin no).
- Prefer key-based authentication instead of password-only logins.
- Restrict which users or groups can log in using AllowUsers / AllowGroups.
- Monitor auth logs (/var/adm/messages or equivalent) for repeated failed attempts.
Key hygiene and access control
- Protect your private key with a passphrase and correct permissions (~/.ssh should be 700, private key 600).
- Remove unused keys from authorized_keys when users leave or roles change.
- Avoid copying private keys between machines; generate them where they are needed.
- Use separate key pairs for different environments (lab, test, production).
Hands-on practice – build your SSH workflow
- From your Solaris lab VM, connect to another VM or a test server using password-based SSH.
- Generate an SSH key pair and configure passwordless login to the same server.
- Take a backup of
sshd_config, make one small hardening change, restart ssh and verify that access still works. - Document your final SSH setup so you can reuse it on future servers.
In the next lessons, SSH will be your main entry point for working with processes, services, ZFS and other Solaris features.