Configuring OpenSSH Server
Install the OpenSSH server packages and tune system-wide and user-specific SSH settings.
To set up the SSH server, install the openssh and
openssh-server packages and enable the sshd service. Then,
you can edit settings within the configuration files found in the /etc/ssh
directory.
Installing OpenSSH Server and Enabling sshd
Install the OpenSSH server packages and configure the sshd service to start.
A default Oracle Linux installation includes the openssh and
openssh-server packages, but the sshd service isn't
enabled by default.
-
If the packages aren't installed, run the following command:
sudo dnf install openssh openssh-server -
Start the
sshdservice and configure it to start after each reboot:sudo systemctl start sshd sudo systemctl enable sshd
You can set sshd configuration options for features such as Kerberos authentication, X11 forwarding, and port forwarding in the /etc/ssh/sshd_config file. For more information, see the sshd(8) and sshd_config(5) manual pages.
Working With OpenSSH Server Configuration Files
Review key server configuration files in /etc/ssh and their purposes.
To configure specific OpenSSH settings, edit the global configuration files in the
/etc/ssh directory. Examples of files in this directory might include
the following:
-
modulistores key-exchange information used to set up secure connections. -
ssh_configprovides default client configuration settings that a user’s$HOME/.ssh/configfile can override. -
ssh_host_ed25519_keystores the ed25519 private key for SSH2. Oracle Linux 10 generates this key by default. -
ssh_host_ed25519_key.pubstores the ed25519 public key for SSH2. Oracle Linux 10 generates this key by default. -
ssh_host_rsa_keystores the RSA private key for SSH2. -
ssh_host_rsa_key.pubstores the RSA public key for SSH2. -
sshd_configstores configuration settings for thesshdservice.Note
For Oracle Linux 8 or later, files saved in the
/etc/ssh/sshd_config.ddirectory override any settings defined in the/etc/ssh/sshd_configconfiguration file.
You can configure other files in the /etc/ssh directory. For details, see the sshd(8) manual page.
For more information, see the ssh_config(5), sshd(8), and
sshd_config(5) manual pages.
Restricting Access to SSH Connections
Use configuration examples to limit SSH access, authentication, and idle sessions.
The Secure Shell (SSH) provides protected, encrypted communications with other systems. Disable SSH when you don't need remote access. Otherwise, edit the /etc/ssh/sshd_config file to restrict how clients connect.
After applying changes to the configuration file, you must restart the
sshd service for the changes to take effect.
Restrict root access. Set PermitRootLogin to no to prohibit root
from logging in with SSH. Then, elevate a user's privileges after logging in.
PermitRootLogin noRestrict specific users. Restrict remote access to selected users and groups by
specifying the AllowUsers, AllowGroups,
DenyUsers, and DenyGroups settings, for example, add
lines similar to:
DenyUsers carol dan
AllowUsers alice bobFor more information about configuring users and groups, you can visit one of the following links:
Set a timeout period. The ClientAliveInterval and
ClientAliveCountMax settings cause the SSH client to timeout
automatically after a period of inactivity, for example add lines similar to:
# Disconnect client after 300 seconds of inactivity
ClientAliveCountMax 0
ClientAliveInterval 300Disable password authentication. The PasswordAuthentication and PubkeyAuthentication
settings define the method of authentication the SSH client implements for users: either with
a password or with an SSH public key. If you have configured key-based authentication, which
is more secure, you can disable PasswordAuthentication by setting it to
no. To check the current PasswordAuthentication setting
on a server, run the following command:
sudo grep -R PasswordAuthentication /etc/sshFor more information, see the sshd_config(5) manual page.
Configuring the OpenSSH Server for User Access
Manage user-specific SSH files in $HOME/.ssh to control access on the server.
User-specific configuration on the server side of a connection resides in the
$HOME/.ssh directory and typically includes the following files:
-
authorized_keysstores the authorized public keys for a user. The server uses the signed public key in this file to authenticate a client. -
environmentdefines optional environment variables. -
rcdefines optional commands that ssh runs when a user logs in, before the user's shell or command runs.
For more information, see the ssh(1) and ssh_config(5) manual pages.
Restricting SSH Key Access to Specific Commands
Constrain how individual SSH keys are used by adding options in authorized_keys.
You can add user-specific configurations on the server side of a connection by editing the
$HOME/.ssh/authorized_keys file. In addition to listing SSH keys with which
a user can authenticate, you can optionally impose further restrictions on what that user can
do with each of those keys.
For example, the command option specifies a single command to run for
all connections made with one key, after which the command ends immediately.
command=command ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6OabJhWABsZ4F3mcjEPT3sxnXx1OoUcvuCiM6fg5s...The command option helps security-conscious users restrict access available to a key that might be used for scripted actions and that might not be passphrase protected.
You can also ensure that the key is accepted only when the inbound connection originates from
the internal network by using the from option to set an authorized range of IPv4 addresses. For example, to prevent any IP addresses
from outside the 192.0.2.0/24 range from connecting with an SSH key, append the following line to the
$HOME/.ssh/authorized_keys file with the correct key value:
from=192.0.2.0/24 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6OabJhWABsZ4F3mcjEPT3sxnXx1OoUcvuCiM6fg5s...For more information, see the sshd(8) manual page.
Good Practice Recommendations for Configuring OpenSSH Server
Follow recommended settings to harden OpenSSH servers against common attacks.
We recommend the following guidelines to secure OpenSSH configuration against the most common remote exploits:
-
Disable remote root user logins over SSH.
-
After you have correctly configured key-based authentication, disable SSH password authentication.
-
Consider setting a nonstandard SSH port for Internet-facing systems.
For more information, see Restricting Access to SSH Connections.