SSH, or Secure Shell, is a beacon for secure communication in today’s digital landscape, ensuring encrypted interactions over potentially vulnerable networks. For those aiming to fortify their Rocky Linux systems, this guide will elucidate how to install SSH on Rocky Linux 9 or the older stable Enterprise Linux release of Rocky Linux 8. Thanks to its proven reliability, OpenSSH, the open-source embodiment of the SSH protocol, is a trusted tool among server administrators and network professionals.
Key Attributes of SSH:
- Security Focus: SSH was conceived to provide a fortified channel on unsecured networks, effectively replacing older, less secure methods like telnet.
- Robust Encryption: SSH is adept at safeguarding data. It ensures that sensitive information, including passwords, remains impervious to unauthorized interception.
- User Authentication: Employing public-key cryptography, SSH authenticates the remote machine and verifies the user’s identity.
OpenSSH’s Distinctive Qualities:
- Open-Source Integrity: OpenSSH’s transparency, being an open-source project, invites community participation in security assessments and improvements.
- Versatility: OpenSSH encompasses more than just SSH. It includes tools like scp (secure copy) and sftp (secure file transfer protocol), benefiting from SSH’s encryption prowess.
- Broad Compatibility: OpenSSH is crafted to be compatible with various operating systems, spanning various UNIX systems and even specific Windows versions.
By the culmination of this guide, you’ll be well-versed in the intricacies of installing SSH on Rocky Linux and the myriad benefits OpenSSH offers. In an era where secure communication is paramount, leveraging tools like OpenSSH becomes indispensable.
Update Rocky Linux Before SSH Installation
Before diving into the installation and configuration of SSH on Rocky Linux, it’s crucial to ensure that your system’s packages are current. This not only guarantees smoother operations but also minimizes potential software conflicts. To update your Rocky Linux system, use the command:
sudo dnf upgrade --refreshInstall SSH on Rocky Linux 9 or 8
The next step involves verifying whether the OpenSSH server is already on your Rocky Linux system. This can be ascertained by executing the command:
rpm -qa | grep openssh-serverThis command will return a relevant output if the OpenSSH server is installed. If there’s no output, it indicates the absence of the OpenSSH server on your system. To address this and install the OpenSSH server, use the following command:
sudo dnf install openssh-serverEnable SSH (SSHD) Service on Rocky Linux 9 or 8
After successfully installing the OpenSSH server, enabling the SSHD service within the systemd framework is imperative. This ensures that the SSH daemon initializes automatically after every system reboot. To achieve this, execute the command:
sudo systemctl enable sshdWith the SSHD service now set to auto-start, you can manually initiate the SSH server using:
sudo systemctl start sshdFor verification purposes and to ensure the SSH server is running without issues, you can check its status with:
sudo systemctl status sshdTo confirm that the default port (22) is now actively listening for incoming SSH connections, run:
sudo ss -ltConnect to a Remote Server via SSH on Rocky Linux 9 or 8
With SSH appropriately set up on your Rocky Linux system, you can now establish connections to remote servers. Here’s a detailed breakdown of how to utilize SSH for various connection scenarios:
Connecting Using Password Authentication with SSH on Rocky Linux
To establish a connection to a remote server using SSH with password-based authentication, employ the command:
ssh username@remote_serverHere, replace “username” with your actual username and “remote_server” with the IP address or hostname of the desired remote server. Upon execution, you’ll be prompted to input your password for authentication.
Connecting Using Public Key Authentication with SSH on Rocky Linux
SSH offers public key authentication for those preferring a more secure connection method. To connect using this method, the command is:
ssh -i /path/to/private_key username@remote_serverIn this command, replace “/path/to/private_key” with the path leading to your private key file. Similarly, replace “username” with your username and “remote_server” with the IP address or hostname of the remote server. This method bypasses the need for password input, relying instead on the provided private key for authentication.
Specifying an Alternate Port for Connection with SSH on Rocky Linux
While SSH defaults to port 22 for connections, some remote servers might operate on different ports. To specify an alternate port during connection, use:
ssh -p 2222 username@remote_serverIn this example, replace “2222” with the port number the remote server utilizes.
Secure File Transfer with SCP with SSH on Rocky Linux
SCP, or Secure Copy, is a potent command-line utility that facilitates the secure transfer of files between systems via SSH. To transfer a file from your local Rocky Linux system to a remote server, the command is:
scp /path/to/local/file username@remote_server:/path/to/remote/directory
Replace “/path/to/local/file” with the path of the file you intend to transfer. Similarly, adjust “username” to your username, “remote_server” to the IP address or hostname of the remote server, and “/path/to/remote/directory” to the directory path on the remote server where you wish to place the transferred file.
Configure SSH on Rocky Linux 9 or 8
Optimizing the SSH configuration can enhance your server’s security and performance. The SSH configuration file, located at /etc/ssh/sshd_config, contains various parameters that can be adjusted to suit specific needs. While the following configurations are merely examples, they can be beneficial depending on your server or desktop setup.
Disabling GSSAPI Authentication for SSH on Rocky Linux
GSSAPI authentication, while helpful, can sometimes introduce delays during SSH connection establishment. To mitigate this, you can disable it by appending the line below to the SSH configuration file:
GSSAPIAuthentication noModifying SSH Session Timeouts for SSH on Rocky Linux
Adjusting session timeouts can help manage inactive SSH sessions. To set the server to send a keep-alive message every 5 minutes and terminate the session if two consecutive messages go unanswered, add:
ClientAliveInterval 300
ClientAliveCountMax 2Prohibiting Root Login for SSH on Rocky Linux
For enhanced security, especially against brute-force attacks, it’s advisable to disable root login. This can be achieved with:
PermitRootLogin noImplementing Public Key Authentication for SSH on Rocky Linux
Public key authentication offers a more secure alternative to password-based methods. To set this up, first generate a new SSH key pair:
ssh-keygen -t rsa -b 4096Next, transfer the public key to the desired remote server:
ssh-copy-id user@remote_serverEnsure you replace “user” with your username and “remote_server” with the appropriate IP address or hostname. Lastly, enable public key authentication in the SSH configuration:
PubkeyAuthentication yesRestricting SSH Access for SSH on Rocky Linux
You can limit SSH access to specific users or groups for added security. To implement this, add:
AllowUsers user1 user2
AllowGroups group1 group2Replace the placeholders with the actual usernames or group names you wish to grant access.
Altering the SSH Port for SSH on Rocky Linux
SSH, by default, operates on port 22. Given its notoriety, changing this port can deter unauthorized access attempts. To assign a new port, use:
Port <port_number>It’s advisable to select a port number between 1024 and 65535 that isn’t occupied by another service.
Secure SSH with Firewalld on Rocky Linux 9 or 8
When working with a VPS or a remote server environment, ensuring uninterrupted access is crucial. Before making any changes to Firewalld, especially if you’re accessing the system remotely, it’s imperative to whitelist your IP address. Failing to do so might inadvertently lock you out of the server after applying the firewall changes.
To whitelist your IP address in Firewalld, use the following command:
sudo firewall-cmd --permanent --add-source=<your_ip_address>
Replace <your_ip_address> with your actual IP address.
Once your IP address is whitelisted, you can safely incorporate the SSH service into Firewalld:
sudo firewall-cmd --add-service=ssh --permanentAfter making the necessary adjustments, apply the new Firewalld configuration:
sudo firewall-cmd --reloadTo verify the inclusion of the SSH service in Firewalld, run the following:
sudo firewall-cmd --list-services | grep sshThis command will confirm if the SSH service is duly permitted through the firewall, ensuring your remote connections remain secure and accessible.
Conclusion
In this guide, we’ve explored the essential steps to install and configure OpenSSH on Rocky Linux. From updating the system and verifying the presence of OpenSSH to optimizing configurations and fortifying security with Firewalld, each step has been meticulously detailed to ensure a seamless setup. Understanding the significance of each configuration and its impact on the system’s security and performance is paramount. As a best practice, always stay updated with the latest releases and security advisories related to OpenSSH. This ensures optimal performance and fortifies your system against potential vulnerabilities.