Working With OpenSSH Server Configuration Files

To configure specific OpenSSH settings, edit the global configuration files in the /etc/ssh directory. Examples of files in this directory might include the following:

• moduli

  Contains key-exchange information that's used to set up a secure connection.

• ssh_config

  Contains default client configuration settings that can be overridden by the settings in a user’s $HOME/.ssh/config file.

• ssh_host_ed25519_key

  Contains the ed25519 private key for SSH2. Generated by default in Oracle Linux 10.

• ssh_host_ed25519_key.pub

  Contains the ed25519 public key for SSH2. Generated by default in Oracle Linux 10.

• ssh_host_rsa_key

  Contains the RSA private key for SSH2.

• ssh_host_rsa_key.pub

  Contains the RSA public key for SSH2.

• sshd_config

  Contains configuration settings for the sshd service.

  Note:

  For Oracle Linux 8 or later, files saved in the /etc/ssh/sshd_config.d directory override any settings defined in the /etc/ssh/sshd_config configuration file.

You can configure other files in the /etc/ssh directory. For details, see the sshd(8) manual page.

For more information, see the ssh_config(5), sshd(8), and sshd_config(5) manual pages.

Restricting Access to SSH Connections

The Secure Shell (SSH) provides protected, encrypted communications with other systems. Because SSH is an entry point into the system, disable SSH if it isn't required. Optionally, you can edit the /etc/ssh/sshd_config file to restrict its use.

Important:

After applying changes to the configuration file, you must restart the sshd service for the changes to take effect.

Restrict Root Access

Set PermitRootLogin to no to prohibit root from logging in with SSH. Then, elevate a user's privileges after logging in.

PermitRootLogin no

Restrict Specific Users

You can restrict remote access to certain users and groups by specifying the AllowUsers, AllowGroups, DenyUsers, and DenyGroups settings, for example:

DenyUsers carol dan
AllowUsers alice bob

For more information about configuring users and groups, you can visit one of the following links:

• Oracle Linux 8: Setting Up System Users and Authentication

• Oracle Linux 9: Setting Up System Users and Authentication

• Oracle Linux 10: Setting Up System Users and Authentication

Set a Timeout Period

The ClientAliveInterval and ClientAliveCountMax settings cause the SSH client to time out automatically after a period of inactivity, for example:

# Disconnect client after 300 seconds of inactivity
ClientAliveCountMax 0
ClientAliveInterval 300

Disable Password Authentication

The PasswordAuthentication and PubkeyAuthentication settings define the method of authentication the SSH client implements for users: either with a password or with an SSH public key. If you have configured key based authentication, which is more secure, you can disable PasswordAuthentication by setting it to no. To check the current PasswordAuthentication setting on a server, run the following command:

sudo grep -R  PasswordAuthentication /etc/ssh

For more information, see the sshd_config(5) manual page.