Openssh server linux настройка

Openssh server linux настройка

To set up the SSH server, install the openssh and openssh-server packages and enable the sshd service. Then, you can modify settings within the configuration files found in the /etc/ssh directory.

Installing OpenSSH Server and Enabling sshd

A default Oracle Linux installation includes the openssh and openssh-server packages, but the sshd service is not enabled by default.

If necessary, install or update the openssh and openssh-server packages:

sudo dnf install openssh openssh-server

sudo systemctl start sshd sudo systemctl enable sshd

You can set sshd configuration options for features such as Kerberos authentication, X11 forwarding, and port forwarding in the /etc/ssh/sshd_config file. For more information, see the sshd(8) and sshd_config(5) manual pages.

Modifying OpenSSH Server Configuration Files

To configure specific OpenSSH settings, modify the global configuration files in the /etc/ssh directory. These files include:

• moduli Contains key-exchange information that is used to set up a secure connection.
• ssh_config Contains default client configuration settings that can be overridden by the settings in a user’s ~/.ssh/config file.
• ssh_host_rsa_key Contains the RSA private key for SSH2.
• ssh_host_rsa_key.pub Contains the RSA public key for SSH2.
• sshd_config Contains configuration settings for the sshd service.

You can configure other files in the /etc/ssh directory. For details, see the sshd(8) manual page.

For Oracle Linux 8 or later, files saved in the /etc/ssh/sshd_config.d directory override any settings defined in the /etc/ssh/sshd_config configuration file.

For more information, see the ssh_config(5) , sshd(8) , and sshd_config(5) manual pages.

Restricting Access to SSH Connections

The Secure Shell (SSH) allows protected, encrypted communications with other systems. Because SSH is an entry point into the system, disable SSH if it is not required. Alternatively, you can edit the /etc/ssh/sshd_config file to restrict its use.

After making changes to the configuration file, you must restart the sshd service for the changes to take effect.

Set PermitRootLogin to no , to prohibit root from logging in with SSH. A user should instead elevate their privlages after logging in.

You can restrict remote access to certain users and groups by specifying the AllowUsers , AllowGroups , DenyUsers , and DenyGroups settings, for example:

DenyUsers carol dan AllowUsers alice bob

The ClientAliveInterval and ClientAliveCountMax settings cause the SSH client to time out automatically after a period of inactivity, for example:

# Disconnect client after 300 seconds of inactivity ClientAliveCountMax 0 ClientAliveInterval 300

Disable Password Authentication

The PasswordAuthentication and PubkeyAuthentication settings determine whether the SSH client permits users to authenticate with a password or an SSH public key. OpenSSH accepts user passwords for authentication by default, but once you have configured more secure key based authentication you can optionally disable that functionality:

PasswordAuthentication no PubkeyAuthentication yes

For more information, see the sshd_config(5) manual page.

Configuring the OpenSSH Server For User Access

User-specific configuration on the server side of a connection is in the $HOME/.ssh directory and usually contains the following files:

• authorized_keys Contains the authorized public keys for a user. The server uses the signed public key in this file to authenticate a client.
• environment Contains definitions of environment variables. This file is optional.
• rc Contains commands that ssh runs when a user logs in, before the user’s shell or command runs. This file is optional.

For more information, see the ssh(1) and ssh_config(5) manual pages.

Related Topics

Restricting SSH Key Access to Specific Commands

You can perform additional user-specific configuration on the server side of a connection by modifying the $HOME/.ssh/authorized_key file. In addition to adding a list of SSH keys with which a user can authenticate, you can optionally impose additional restrictions on what that user can do with each of those keys.

For example, you can use the command option to configure all connections made with one key to just run a single command on the host and then immediately terminate:

command=command ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6OabJhWABsZ4F3mcjEPT3sxnXx1OoUcvuCiM6fg5s.

By using the command option, security-conscious users can restrict system accesses available to a particular key that might be used for a scripted action and which may not be passphrase protected.

You can also ensure that the key is only accepted if the inbound connection originates from your internal network by using the from option to set a permitted range of IPv4 addresses. For example, to prevent any IP addresses from outside the 192.0.2.0/24 range from connecting with an SSH key, you would append the following line to the $HOME/.ssh/authorized_key file with the correct key value:

from=192.0.2.0/24 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6OabJhWABsZ4F3mcjEPT3sxnXx1OoUcvuCiM6fg5s.

For more information, see the sshd(8) manual pages.

Good Practice Recommendations for Configuring OpenSSH Server

Oracle recommends that you follow these guidelines to secure your OpenSSH configuration against the most common remote exploits:

• You should disable remote root user logins over SSH.
• After you have correctly configured key based authentication, you should disable SSH password authentication.
• Consider setting a non-standard SSH port for Internet-facing systems.

Источник