- Oracle linux установка ssh
- Installing the OpenSSH Client Packages
- Modifying OpenSSH Client Configuration Files
- Validating Configuration Permissions
- Oracle linux установка ssh
- Installing OpenSSH Server and Enabling sshd
- Modifying OpenSSH Server Configuration Files
- Restricting Access to SSH Connections
- Configuring the OpenSSH Server For User Access
- Restricting SSH Key Access to Specific Commands
- Good Practice Recommendations for Configuring OpenSSH Server
- Oracle linux установка ssh
- Setting Up SSH on UNIX and Linux Systems
- To Set Up SSH on Oracle Solaris Systems
- To Set Up SSH on MacOS Systems
- To Set Up SSH on Linux systems
Oracle linux установка ssh
To set up OpenSSH on the client, you need the openssh and openssh-clients packages.
Installing the OpenSSH Client Packages
A default Oracle Linux installation includes both of the openssh and openssh-clients packages. However, if necessary, install or update the packages on your system.
sudo dnf install openssh openssh-clients
Modifying OpenSSH Client Configuration Files
The $HOME/.ssh directory on the client system, contains the OpenSSH client configuration files for a particular user. This directory usually contains the following files for client-side configuration:
- id_rsa and id_rsa.pub Contains a user’s SSH2 RSA private and public keys. SSH2 RSA is most commonly used key-pair type. id_rsa and id_rsa.pub are the conventional names for these files, but there is no restrictions on file name. You can have multiple key pairs stored in this directory for use across different connections.
Caution: The private key file can be readable and writable by the user but must not be accessible to other users.
Caution: A config file can be readable and writable by the user but must not be accessible to other users.
For more information, see the ssh(1) and ssh-keygen(1) manual pages.
Validating Configuration Permissions
OpenSSH applies strict permissions to the $HOME/.ssh directory and files stored in this directory. If the permissions in the directories on either side of the connection are wrong, OpenSSH prevents the connection and usually errors out with a Permission Denied message.
Generally, the content in this directory should only be accessible to your own user. A slight exception to this is the authorized_keys file, which contains public keys that can be readable to other users.
- Set the directory and file permissions as follows. Some of these files may not be present on the system where you are running these commands:
chmod 700 $HOME/.ssh # The user .ssh directory chmod 600 $HOME/.ssh/id_rsa # A user's private key chmod 644 $HOME/.ssh/id_rsa.pub # A user's public key chmod 600 $HOME/.ssh/config # Customized configuration entries for the ssh client chmod 644 $HOME/.ssh/authorized_keys # A user's authorized public key entries to allow login chmod 600 $HOME/.ssh/known_hosts # A user's known hosts entries for system fingerprints chown -R $USER:$USER $HOME/.ssh # Recursively set ownership of all .ssh files
drwx------+ 2 user group 5 Jun 12 08:33 . drwxr--r--+ 3 user group 9 Jun 12 08:32 .. -rw-r--r--+ 1 user group 397 Jun 12 08:33 authorized_keys -rw-------. 1 user group 2283 Nov 22 13:22 config -rw-------. 1 user group 963 Aug 22 09:27 id_rsa -rw-r--r--. 1 user group 221 Aug 22 09:27 id_rsa.pub -rw-------. 1 user group 85531 Nov 9 10:01 known_hosts
Oracle linux установка ssh
To set up the SSH server, install the openssh and openssh-server packages and enable the sshd service. Then, you can modify settings within the configuration files found in the /etc/ssh directory.
Installing OpenSSH Server and Enabling sshd
A default Oracle Linux installation includes the openssh and openssh-server packages, but the sshd service is not enabled by default.
- If necessary, install or update the openssh and openssh-server packages:
sudo dnf install openssh openssh-server
sudo systemctl start sshd sudo systemctl enable sshd
You can set sshd configuration options for features such as Kerberos authentication, X11 forwarding, and port forwarding in the /etc/ssh/sshd_config file. For more information, see the sshd(8) and sshd_config(5) manual pages.
Modifying OpenSSH Server Configuration Files
To configure specific OpenSSH settings, modify the global configuration files in the /etc/ssh directory. These files include:
- moduli Contains key-exchange information that is used to set up a secure connection.
- ssh_config Contains default client configuration settings that can be overridden by the settings in a user’s ~/.ssh/config file.
- ssh_host_rsa_key Contains the RSA private key for SSH2.
- ssh_host_rsa_key.pub Contains the RSA public key for SSH2.
- sshd_config Contains configuration settings for the sshd service.
You can configure other files in the /etc/ssh directory. For details, see the sshd(8) manual page.
For Oracle Linux 8 or later, files saved in the /etc/ssh/sshd_config.d directory override any settings defined in the /etc/ssh/sshd_config configuration file.
For more information, see the ssh_config(5) , sshd(8) , and sshd_config(5) manual pages.
Restricting Access to SSH Connections
The Secure Shell (SSH) allows protected, encrypted communications with other systems. Because SSH is an entry point into the system, disable SSH if it is not required. Alternatively, you can edit the /etc/ssh/sshd_config file to restrict its use.
After making changes to the configuration file, you must restart the sshd service for the changes to take effect.
Set PermitRootLogin to no , to prohibit root from logging in with SSH. A user should instead elevate their privlages after logging in.
You can restrict remote access to certain users and groups by specifying the AllowUsers , AllowGroups , DenyUsers , and DenyGroups settings, for example:
DenyUsers carol dan AllowUsers alice bob
The ClientAliveInterval and ClientAliveCountMax settings cause the SSH client to time out automatically after a period of inactivity, for example:
# Disconnect client after 300 seconds of inactivity ClientAliveCountMax 0 ClientAliveInterval 300
Disable Password Authentication
The PasswordAuthentication and PubkeyAuthentication settings determine whether the SSH client permits users to authenticate with a password or an SSH public key. OpenSSH accepts user passwords for authentication by default, but once you have configured more secure key based authentication you can optionally disable that functionality:
PasswordAuthentication no PubkeyAuthentication yes
For more information, see the sshd_config(5) manual page.
Configuring the OpenSSH Server For User Access
User-specific configuration on the server side of a connection is in the $HOME/.ssh directory and usually contains the following files:
- authorized_keys Contains the authorized public keys for a user. The server uses the signed public key in this file to authenticate a client.
- environment Contains definitions of environment variables. This file is optional.
- rc Contains commands that ssh runs when a user logs in, before the user’s shell or command runs. This file is optional.
For more information, see the ssh(1) and ssh_config(5) manual pages.
Related Topics
Restricting SSH Key Access to Specific Commands
You can perform additional user-specific configuration on the server side of a connection by modifying the $HOME/.ssh/authorized_key file. In addition to adding a list of SSH keys with which a user can authenticate, you can optionally impose additional restrictions on what that user can do with each of those keys.
For example, you can use the command option to configure all connections made with one key to just run a single command on the host and then immediately terminate:
command=command ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6OabJhWABsZ4F3mcjEPT3sxnXx1OoUcvuCiM6fg5s.
By using the command option, security-conscious users can restrict system accesses available to a particular key that might be used for a scripted action and which may not be passphrase protected.
You can also ensure that the key is only accepted if the inbound connection originates from your internal network by using the from option to set a permitted range of IPv4 addresses. For example, to prevent any IP addresses from outside the 192.0.2.0/24 range from connecting with an SSH key, you would append the following line to the $HOME/.ssh/authorized_key file with the correct key value:
from=192.0.2.0/24 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6OabJhWABsZ4F3mcjEPT3sxnXx1OoUcvuCiM6fg5s.
For more information, see the sshd(8) manual pages.
Good Practice Recommendations for Configuring OpenSSH Server
Oracle recommends that you follow these guidelines to secure your OpenSSH configuration against the most common remote exploits:
- You should disable remote root user logins over SSH.
- After you have correctly configured key based authentication, you should disable SSH password authentication.
- Consider setting a non-standard SSH port for Internet-facing systems.
Oracle linux установка ssh
Setting Up SSH on UNIX and Linux Systems
Setting up SSH on UNIX and Linux systems involves verifying that the SSH server daemon sshd is running and, if necessary, starting this daemon. Set up SSH on the DAS host and on all hosts where instances in your cluster will reside.
On UNIX and Linux systems, SSH software is typically installed as part of the base operating system. If SSH is not installed, download and install the appropriate OpenSSH SSH package for your operating system.
How to set up SSH on UNIX and Linux systems depends on the flavor of the operating system that you are running, as explained in the following sections:
To Set Up SSH on Oracle Solaris Systems
- Ensure that the following options in the configuration file /etc/ssh/sshd_config are set to yes:
- StrictModes
- PubkeyAuthentication
- Determine if the SSH server daemon sshd is running.
$ /usr/sbin/svcadm enable ssh
Example 2-2 Determining if the sshd Daemon Is Running on an Oracle Solaris System
This example confirms that the SSH server daemon sshd is running on an Oracle Solaris system.
$ /usr/bin/svcs ssh STATE STIME FMRI online Jul_06 svc:/network/ssh:default
After you have completed the setup of SSH on a host, test the setup on the host as explained in Testing the SSH Setup on a Host.
To Set Up SSH on MacOS Systems
- Open System Preferences and click Sharing. The Sharing window opens.
- Ensure that Remote Login is selected in the Service list.
- Ensure that either of the following is allowed access:
- All Users
- The user that running the DAS or instance
After you have completed the setup of SSH on a host, test the setup on the host as explained in Testing the SSH Setup on a Host.
To Set Up SSH on Linux systems
- Ensure that the following options in the configuration file /etc/ssh/sshd_config are set to yes:
- StrictModes
- PubkeyAuthentication
- Determine if the SSH server daemon sshd is running.
$ /sbin/service sshd status
$ /sbin/service sshd start
Example 2-3 Determining if the sshd Daemon Is Running on a Linux System
This example confirms that the SSH server daemon sshd is running on a Linux system.
$ /sbin/service sshd status openssh-daemon (pid 2373) is running.
After you have completed the setup of SSH on a host, test the setup on the host as explained in Testing the SSH Setup on a Host.