Intro to SSH

SSH (Secure SHell) is a ubiquitous utility that has been used in the industry for many years. It is considered to be extremely secure and versatile.

Installing SSH

By default, both the OpenSSH client package openssh and the server package openssh-server are installed. No further action should be required. However, to verify that these packages are installed issue the command `rpm -qa | grep -i ssh`. To verify that the SSH service will start when the system boots, issue the command `chkconfig --list sshd`.

SSH Configuration

SSH config files default to the location '/etc/ssh'. Client behavior is configured in '/etc/ssh/ssh_config'. Server behavior is configured in '/etc/ssh/sshd_config'. Make sure to back up these files before making changes, and make sure to restart the service after making changes. The table below lists a few directives in that will make SSH server configuration more secure or robust.

Table 4.2. SSH Server Configuration Directives

Directive Description
PermitRootLogin [yes|no] Set to 'no' to forbid root login via SSH.
ListenAddress x.x.x.x List a specific device to limit SSH reception of logins.
Protocol N Default is 2. Set to 1 to allow legacy versions of SSH.[a]
X11Forwarding [yes|no] Whether to forward X over the SSH tunnel. Can be costly in terms of bandwidth overhead.
Port xx Run SSH on a non-standard port for increased security. Don't forget firewall and SELinux implications.
AllowUsers, AllowGroups, DenyUsers, DenyGroups These directives can be set to limit SSH logins. See the `man sshd_config` page for more details.

[a] Typically, Version 2 of SSH is more secure.

[Warning] Watch Out if Running SSH on a Non-Standard Port!

When configuring SSH on a non-standard port, it is possible to "lock yourself out of your own box" by not testing the scheme first.

SSH as a Service

Listed below are the most common SSH manipulation commands.

  • `service sshd [start|stop]` - Start and/or stop the service. Must be done upon configuration changes.
  • `chkconfig sshd on` - Set the service to start automatically when the machine boots.

Commands to Manipulate SSH

See the the section called "SSH as a Service" section above. Also, there is a convenient way to use key-based SSH authentication. See the section called "Additional Notes & Considerations for SSH" for more details.

Securing SSH

The "out of the box" configuration of SSH is, by default, typically secure enough for general requirements. Running SSH on a non-standard port can help increase security. There may be SELinux considerations for SSH. The following commands will help isolate SSH SELinux items.

  1. `semanage fcontext -l | grep ssh`
  2. `semanage port -l | grep ssh`
  3. `getsebool -a | grep ssh`

Additional Notes & Considerations for SSH

It is possible to forward ports via SSH. Also, it is possible to use SSH key-based authentication, thereby not requiring a prompted password for each login. See the section called "Establish Key-Based SSH Login" for more details.

Reference Material for this Chapter

For this chapter's supporting material, please reference Chapters 2 & 11 in the RHCSA/RHCE Linux Certification Study Guide text book.