# SSH

Yunohost handles most of the SSH configuration but some manual intervention is still needed to improve security:

#### Add users
By default, only `admin` can connect and we need to manually add other users ([Tuto](https://yunohost.org/en/ssh#which-other-users-may-connect-to-the-server)):
```bash
yunohost user ssh allow <USER>
```

#### Disable password authentication
[Tuto](https://yunohost.org/en/administrate/overview/security#ssh-authentication-via-key):
```
PasswordAuthentication no
Match Address 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,169.254.0.0/16,fe80::/10,fd00::/8
        PermitRootLogin yes
        PasswordAuthentication yes
```

#### Change port
As the UpNP handles port forwarding, we cannot obfuscate the ssh port from the router. We need to change the server's configuration ([Tuto](https://yunohost.org/en/administrate/overview/security#modify-the-ssh-port)):
```
sudo nano /etc/ssh/sshd_config
    port <PORT>
sudo yunohost firewall allow TCP <PORT>
sudo yunohost firewall disallow TCP 22
sudo nano /etc/fail2ban/jail.d/my_ssh_port.conf
    [sshd]
        port = <your_ssh_port>

    [sshd-ddos]
        port = <your_ssh_port>

sudo yunohost firewall reload
sudo systemctl restart ssh
sudo systemctl restart fail2ban
```