SSH (Secure Shell) is a secure network protocol that allows you to remotely access and manage Linux servers, including Fedora systems. It provides encrypted communication between the client and server, ensuring that sensitive data is securely transmitted over the network. SSH is widely used for remote system administration, file transfers, and tunneling. On Fedora 40 or 39, SSH can be easily set up and configured to allow secure remote access to your system.
This guide will walk you through the process of installing, enabling, and configuring SSH on Fedora 40 or 39, using the command-line terminal. Additionally, it will cover basic SSH commands and tips for secure configuration.
Update Fedora Packages Before SSH Installation
Updating your Fedora system packages before installing SSH is crucial to maintaining system compatibility and preventing conflicts. This ensures that all your system components are up to date.
Run the following command in the terminal to update your packages:
sudo dnf upgrade --refreshThis command refreshes the repository metadata and upgrades the packages, ensuring your system is current.
Install SSH via DNF Command
Before installing, checking if the OpenSSH server is already on your Fedora system is good practice. Use this command to search for the OpenSSH server package:
rpm -qa | grep openssh-serverIf this command returns a result, the OpenSSH server will be installed. If there’s no output, you need to install it.
Use this command to install the OpenSSH server:
sudo dnf install openssh-serverEnabling and Starting the SSHD Service
Once the OpenSSH server is installed, your next step is to enable the SSHD service. This action ensures that the SSH daemon automatically starts with each system boot, offering consistent remote access.
Enable SSHD using this command:
sudo systemctl enable sshdAfter enabling, start the SSH server with:
sudo systemctl start sshdTo verify that the SSH server is running correctly, you can check its status:
systemctl status sshd
Using SSH to Connect to a Remote System
Connecting to a Remote Server with Password Authentication
After setting up SSH, you can initiate a connection to a remote server. For a password-based authentication, use the following syntax:
ssh username@remote_serverReplace username with your actual username and remote_server with the server’s IP address or hostname. Upon executing this command, you’ll be prompted to enter your password for authentication.
Connecting to a Remote Server with Public Key Authentication
For enhanced security, SSH also supports public key authentication. This method is more secure than password authentication as it uses cryptographic keys. Execute the command:
ssh -i /path/to/private_key username@remote_serverHere, replace /path/to/private_key with the path to your private key file, username with your username, and remote_server with the server’s IP address or hostname. This method bypasses the need for password entry, leveraging the private key for authentication.
Specifying a Different Port
SSH defaults to port 22 for connections. However, if the remote server listens on a different port, specify it using the -p option:
ssh -p 2222 username@remote_serverChange 2222 to the actual port number used by the remote server.
Transferring Files with SCP
SCP (Secure Copy Protocol) is a secure method for transferring files between systems via SSH. To copy a file from your local system to a remote server, use this command:
scp /path/to/local/file username@remote_server:/path/to/remote/directoryAdapt /path/to/local/file to the local file’s path, username to your username, remote_server to the server’s IP or hostname, and /path/to/remote/directory to the target directory on the remote server. This command securely copies the file to the specified directory on the remote server.
Configure SSH on Fedora Linux Examples
Disable GSSAPI Authentication
Consider disabling GSSAPI authentication for enhanced performance, as it can slow down SSH connection times. To do this, add the following line to your /etc/ssh/sshd_config file:
GSSAPIAuthentication noThis modification prevents GSSAPI authentication, which can reduce delays during SSH connection setup.
Adjust SSH Session Timeouts
To manage SSH session timeouts, add these lines to your SSH configuration file:
ClientAliveInterval 300
ClientAliveCountMax 2This configuration sends a keep-alive message every 300 seconds (5 minutes) and terminates the session if no response is received after two messages. It helps in maintaining active sessions and closing inactive ones.
Disable Root Login
Disabling root login is a critical security practice to defend against brute-force attacks. Include this line in your SSH configuration:
PermitRootLogin noThis setting ensures that remote root login is disabled, significantly enhancing your system’s security.
Use Public Key Authentication
Public key authentication offers a more secure alternative to password-based methods. First, generate an SSH key pair:
ssh-keygen -t rsa -b 4096Then, transfer your public key to the remote server:
ssh-copy-id user@remote_serverReplace user with your username and remote_server with the server’s IP or hostname. After copying the key, enable public key authentication in your SSH configuration:
PubkeyAuthentication yesRestrict SSH Access to Specific Users or Groups
To limit SSH access to certain users or groups, add these lines to your SSH configuration file:
AllowUsers user1 user2
AllowGroups group1 group2Replace user1 user2 with the allowed usernames and group1 group2 with the allowed group names. This restriction enhances security by limiting access.
Changing the Port of SSH
Changing the default SSH port (22) can reduce unauthorized access attempts. To change the SSH port, add this line to your SSH configuration file:
Port <port_number>Replace <port_number> with your chosen port, ideally between 1024 and 65535, ensuring another service does not use it. This step adds an extra layer of security by obscuring the SSH port from automated attacks.
SSH Security with Firewalld
Allowing Your IP Address in Firewalld
Ensuring uninterrupted access is critical in a Fedora-based VPS or remote server environment. Allowing your IP address is essential before adjusting Firewalld settings, especially for remote system connections. Overlooking this could result in losing access to the server after applying firewall changes.
To allow your specific IP address in Firewalld, run the following command:
sudo firewall-cmd --permanent --add-source=<your_ip_address>Replace <your_ip_address> with the actual IP address you are currently using. This step is crucial to maintain your access uninterrupted.
Integrating SSH Service into Firewalld
Once your IP address is safely allowed, add the SSH service to Firewalld. This action ensures that SSH connections are permitted through the firewall. Use this command:
sudo firewall-cmd --add-service=ssh --permanentThis command adds SSH to the list of services Firewalld will allow through the firewall.
Activating Updated Firewalld Settings
After making the necessary changes, apply them by reloading Firewalld:
sudo firewall-cmd --reloadReloading Firewalld activates the new settings without interrupting the current network connectivity.
Verifying SSH Service in Firewalld
To ensure that SSH is correctly configured and allowed in Firewalld, execute:
sudo firewall-cmd --list-services | grep sshThis command checks the list of services Firewalld allows and confirms SSH’s presence, verifying that your remote SSH sessions are secure and accessible.
Conclusion
With SSH successfully installed and configured on your Fedora system, you can securely manage your server remotely with confidence. Regularly updating your SSH configuration and following best practices will help maintain a secure and efficient remote management environment. Whether you’re accessing your system from another computer on your network or managing a server in a data center, SSH provides the essential tools for secure remote administration on Fedora.