Articles

SSH Installation and Setup: sshd on Linux and macOS (2026)

April 6, 2026 4 min read

SSH is more than just a remote shell; it’s a cryptographic tunnel that can secure virtually any TCP/IP traffic.

Let’s see how sshd actually starts up and serves connections.

Imagine you just fired up a fresh Linux or macOS box, or maybe you’re setting up a new server. You want to connect to it from your laptop, but by default, the SSH server (sshd) might not be running or configured to listen for your incoming connections. This guide walks you through getting that sshd service up and running, so you can ditch that keyboard and monitor and work remotely.

Linux (Systemd-based distributions like Ubuntu, CentOS 7+, Fedora, Debian 8+)

Most modern Linux systems use systemd to manage services.

  1. Check if sshd is installed:

    dpkg -s openssh-server > /dev/null 2>&1 || echo "openssh-server not installed"
rpm -q openssh-server > /dev/null 2>&1 || echo "openssh-server not installed"

    If it’s not installed, use your distribution’s package manager:

    • Debian/Ubuntu: sudo apt update && sudo apt install openssh-server
    • CentOS/Fedora/RHEL: sudo yum install openssh-server or sudo dnf install openssh-server

  2. Start the sshd service:

    sudo systemctl start sshd

    This command tells systemd to initiate the SSH daemon process.

  3. Enable sshd to start on boot:

    sudo systemctl enable sshd

    This creates a symbolic link so that systemd automatically starts sshd every time the system boots up.

  4. Check the status of the sshd service:

    sudo systemctl status sshd

    Look for Active: active (running) in the output.

  5. Verify sshd is listening on the default port (22):

    sudo ss -tlpn | grep ':22'

    You should see a line like LISTEN 0 128 0.0.0.0:22 0.0.0.0:* or LISTEN 0 128 [::]:22 [::]:*, indicating sshd is bound to port 22 on all network interfaces.

  6. Configure the firewall (if necessary): If you have a firewall like ufw or firewalld running, you need to allow SSH traffic.

    • ufw (Ubuntu/Debian):
      sudo ufw allow ssh
sudo ufw enable # If not already enabled
sudo ufw status
      ufw allow ssh is a shortcut for ufw allow 22/tcp.
    • firewalld (CentOS/Fedora/RHEL):
      sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload
sudo firewall-cmd --list-all
      This permanently adds the ssh service (which defaults to port 22) to the firewall’s configuration and reloads the rules.

macOS

macOS comes with an SSH server, but it’s usually disabled by default.

  1. Enable Remote Login:

    • Go to System Settings (or System Preferences on older macOS versions).
    • Navigate to General > Sharing.
    • Toggle Remote Login on.

    This action modifies the launchd configuration for sshd and typically starts the service immediately.

  2. Verify sshd is running: You can check this from the Terminal.

    sudo launchctl list | grep sshd

    You should see an entry for com.openssh.sshd.

  3. Check if sshd is listening on port 22:

    sudo ss -tlpn | grep ':22'

    Similar to Linux, you’re looking for LISTEN on port 22.

  4. Firewall Considerations on macOS: macOS has an application-level firewall. Enabling Remote Login usually prompts you to allow incoming connections for sshd. If you’ve previously denied it, you can manage it via System Settings > Network > Firewall > Options…. Ensure sshd or "Remote Login" is set to "Allow incoming connections."

Common sshd_config Settings

The behavior of sshd is controlled by /etc/ssh/sshd_config. After making changes, you must reload or restart the service for them to take effect.

  • Reloading (preferred for config changes):
    sudo systemctl reload sshd  # Linux
sudo launchctl kickstart -k system/com.openssh.sshd # macOS (might need restart if kickstart fails)
  • Restarting (if reload doesn’t work or for service status issues):
    sudo systemctl restart sshd  # Linux
sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist && sudo launchctl load /System/Library/LaunchDaemons/ssh.plist # macOS

Key sshd_config directives:

  • Port 22: The port sshd listens on. Changing this requires updating firewall rules and client connection commands.
  • ListenAddress 0.0.0.0: Binds sshd to all available network interfaces. You can specify a single IP address if you only want it to listen on a particular interface.
  • PermitRootLogin prohibit-password: Disallows direct root login with a password. This is a critical security setting. Consider prohibit-password or no if you need root access, using sudo after logging in as a regular user.
  • PasswordAuthentication yes: Allows users to log in using their system passwords. For enhanced security, consider setting this to no and using SSH key-based authentication.
  • PubkeyAuthentication yes: Enables SSH key-based authentication. This is highly recommended for security.

Troubleshooting

If you can’t connect after setting up, check:

  1. Is sshd running? (Use systemctl status sshd or launchctl list | grep sshd)
  2. Is sshd listening on the correct port? (Use ss -tlpn | grep ':22')
  3. Is the firewall blocking port 22? (Check ufw status, firewall-cmd --list-all, or macOS Sharing/Firewall settings)
  4. Are there any syntax errors in sshd_config? Run sudo sshd -t to test the configuration file.
  5. Are network routes correct? Ensure the server can be reached from your client.
  6. Check sshd logs:
    • Linux (systemd): sudo journalctl -u sshd
    • macOS: Logs are typically found in /var/log/system.log or can be viewed with log stream --predicate 'senderImagePath contains "sshd"'.

The next error you’ll hit is "Permission denied (publickey,password)."

More Deep Dives in Ssh

Want structured learning?

Take the full Ssh course →