1. Connecting to Remote Systems With OpenSSH
  2. Configuring OpenSSH Server

2 Configuring OpenSSH Server

To set up the SSH server, install the openssh and openssh-server packages and enable the sshd service. Then, you can edit settings within the configuration files found in the /etc/ssh directory.

Installing OpenSSH Server and Enabling sshd

A default Oracle Linux installation includes the openssh and openssh-server packages, but the sshd service isn't enabled by default.

  1. If the packages aren't installed, run the following command:

    sudo dnf install openssh openssh-server

  2. Start the sshd service and configure it to start following a system reboot: 

    sudo systemctl start sshd
sudo systemctl enable sshd

You can set sshd configuration options for features such as Kerberos authentication, X11 forwarding, and port forwarding in the /etc/ssh/sshd_config file. For more information, see the sshd(8) and sshd_config(5) manual pages.

Working With OpenSSH Server Configuration Files

To configure specific OpenSSH settings, edit the global configuration files in the /etc/ssh directory. These files include:

  • moduli

    Contains key-exchange information that's used to set up a secure connection.

  • ssh_config

    Contains default client configuration settings that can be overridden by the settings in a user’s ~/.ssh/config file.

  • ssh_host_rsa_key

    Contains the RSA private key for SSH2.

  • ssh_host_rsa_key.pub

    Contains the RSA public key for SSH2.

  • sshd_config

    Contains configuration settings for the sshd service.

You can configure other files in the /etc/ssh directory. For details, see the sshd(8) manual page.

For Oracle Linux 8 or later, files saved in the /etc/ssh/sshd_config.d directory override any settings defined in the /etc/ssh/sshd_config configuration file.

For more information, see the ssh_config(5), sshd(8), and sshd_config(5) manual pages.

Restricting Access to SSH Connections

The Secure Shell (SSH) provides protected, encrypted communications with other systems. Because SSH is an entry point into the system, disable SSH if it isn't required. Optionally, you can edit the /etc/ssh/sshd_config file to restrict its use.

Important:

After applying changes to the configuration file, you must restart the sshd service for the changes to take effect.

Restrict Root Access

Set PermitRootLogin to no to prohibit root from logging in with SSH. Then, elevate a user's privileges after logging in. 

PermitRootLogin no

Restrict Specific Users

You can restrict remote access to certain users and groups by specifying the AllowUsers, AllowGroups, DenyUsers, and DenyGroups settings, for example: 

DenyUsers carol dan
AllowUsers alice bob

For more information about configuring users and groups, see Oracle Linux 8: Setting Up System Users and Authentication or Oracle Linux 9: Setting Up System Users and Authentication.

Set a Timeout Period

The ClientAliveInterval and ClientAliveCountMax settings cause the SSH client to time out automatically after a period of inactivity, for example: 

# Disconnect client after 300 seconds of inactivity
ClientAliveCountMax 0
ClientAliveInterval 300

Disable Password Authentication

The PasswordAuthentication and PubkeyAuthentication settings define the method of authentication the SSH client implements for users: either with a password or with an SSH public key. By default, OpenSSH uses passwords for authentication. However, if you have configured key based authentication, which is more secure, you can optionally disable that functionality: 

PasswordAuthentication no
PubkeyAuthentication yes

For more information, see the sshd_config(5) manual page.

Configuring the OpenSSH Server For User Access

User specific configuration on the server side of a connection is in the $HOME/.ssh directory and contains the following files:

  • authorized_keys

    Contains the authorized public keys for a user. The server uses the signed public key in this file to authenticate a client.

  • environment

    Contains definitions of environment variables. This file is optional.

  • rc

    Contains commands that ssh runs when a user logs in, before the user’s shell or command runs. This file is optional.

For more information, see the ssh(1) and ssh_config(5) manual pages.

Related Topics

Restricting SSH Key Access to Specific Commands

You can add user specific configurations on the server side of a connection by editing the $HOME/.ssh/authorized_key file. In addition to listing SSH keys with which a user can authenticate, you can optionally impose further restrictions on what that user can do with each of those keys.

For example, with the command option, you can specify a single command to configure all connections made with one key, after which the command immediately ends. 

command=command ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6OabJhWABsZ4F3mcjEPT3sxnXx1OoUcvuCiM6fg5s...

By using the command option, security conscious users can restrict system accesses available to a particular key that might be used for a scripted action and which might not be passphrase protected.

You can also ensure that the key is only accepted if the inbound connection originates from the internal network by using the from option to set an authorized range of IPv4 addresses. For example, to prevent any IP addresses from outside the 192.0.2.0/24 range from connecting with an SSH key, you would append the following line to the $HOME/.ssh/authorized_key file with the correct key value: 

from=192.0.2.0/24 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6OabJhWABsZ4F3mcjEPT3sxnXx1OoUcvuCiM6fg5s...

For more information, see the sshd(8) manual pages.

Good Practice Recommendations for Configuring OpenSSH Server

We recommend the following guidelines to secure OpenSSH configuration against the most common remote exploits:

  • Disable remote root user logins over SSH.

  • After you have correctly configured key based authentication, Disable SSH password authentication.

  • Consider setting a non standard SSH port for Internet-facing systems.

For more information, see Restricting Access to SSH Connections.