How to Install OpenSSH on Rocky Linux

SSH (Secure Shell) provides encrypted remote access to Linux servers, allowing system administrators and developers to execute commands, transfer files, and manage services securely over untrusted networks. Whether you are managing a single VPS or a fleet of servers, SSH is the foundation of secure remote administration.

This guide walks through installing and configuring OpenSSH on Rocky Linux 8, 9, and 10. You will set up the SSH server, enable the service, configure key-based authentication for improved security, adjust firewall rules, and apply common hardening options. By the end, you will have a production-ready SSH configuration with secure defaults.

Update Rocky Linux Before SSH Installation

Before installing OpenSSH, update your system packages to ensure you have the latest security patches and avoid potential dependency conflicts. Run the following command to refresh the package metadata and upgrade all installed packages:

sudo dnf upgrade --refresh

Install OpenSSH Server on Rocky Linux

Rocky Linux desktop installations typically include OpenSSH by default, but minimal server installations and container images may not. First, check whether the OpenSSH server package is already installed:

rpm -qa | grep openssh-server

If this command produces output showing a package version (such as openssh-server-9.9p1-12.el10), the server is already installed and you can skip to the next section. If there is no output, install the OpenSSH server package:

sudo dnf install openssh-server -y

This command installs the SSH daemon (sshd) and its dependencies. The OpenSSH client package (openssh-clients) lives in a separate package; if you also need to connect to other servers from this machine, install it with sudo dnf install openssh-clients -y.

Enable and Start the SSH Service

After installation, enable the SSH daemon to start automatically on boot and then start the service immediately. The following commands accomplish both tasks:

sudo systemctl enable sshd
sudo systemctl start sshd

Alternatively, combine both actions into a single command using the --now flag:

sudo systemctl enable --now sshd

Verify the SSH Service Status

Confirm that the SSH daemon is running correctly by checking its status:

sudo systemctl status sshd

The output should show the service as active and running:

● sshd.service - OpenSSH server daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: enabled)
     Active: active (running) since Tue 2026-01-07 10:30:00 UTC; 2min ago
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 1234 (sshd)
      Tasks: 1 (limit: 23456)
     Memory: 1.2M
        CPU: 12ms
     CGroup: /system.slice/sshd.service
             └─1234 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Next, verify that the SSH daemon is listening on port 22 by checking the open TCP sockets:

ss -tlnp | grep :22

The ss command comes from the iproute package. On minimal installations where this package does not exist, install it with sudo dnf install iproute -y.

Expected output confirming SSH is listening on all interfaces:

LISTEN 0      128          0.0.0.0:22        0.0.0.0:*    users:(("sshd",pid=1234,fd=3))
LISTEN 0      128             [::]:22           [::]:*    users:(("sshd",pid=1234,fd=4))

Finally, verify the installed OpenSSH version:

ssh -V

Example output on Rocky Linux 10:

OpenSSH_9.9p1, OpenSSL 3.5.1 1 Jul 2025

OpenSSH versions vary by Rocky Linux release: Rocky 8 ships OpenSSH 8.0p1, Rocky 9 ships OpenSSH 8.7p1, and Rocky 10 ships OpenSSH 9.9p1. The commands in this guide work across all three versions.

Connect to Remote Servers via SSH

With SSH installed on your Rocky Linux system, you can connect to remote servers or allow incoming connections to your machine. The following sections cover common connection scenarios.

Connect Using Password Authentication

The simplest way to connect to a remote server is with password authentication. Use the following syntax, replacing the placeholders with your actual username and server address:

ssh username@remote_server

For example, to connect as user admin to a server at IP address 192.168.1.100:

ssh admin@192.168.1.100

On first connection, SSH prompts you to verify the server’s fingerprint. Type yes to accept and add the server to your known hosts file. You will then be prompted for your password.

Connect Using an Alternate Port

If the remote server runs SSH on a non-standard port, use the -p flag to specify the port number:

ssh -p 2222 username@remote_server

Connect Using Public Key Authentication

Public key authentication is more secure than passwords because it uses cryptographic key pairs instead of transmitting secrets over the network. If you have already configured key-based authentication, connect by specifying your private key file:

ssh -i ~/.ssh/id_ed25519 username@remote_server

If you store your key in the default location (~/.ssh/id_ed25519 or ~/.ssh/id_rsa), SSH uses it automatically without the -i flag. See the “Set Up Public Key Authentication” section below to generate and deploy keys.

Configure the SSH Server

The SSH daemon reads its configuration from /etc/ssh/sshd_config. Modifying this file allows you to tune security settings, session behavior, and access controls. Before making changes, create a backup:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

Open the configuration file in your preferred text editor:

sudo nano /etc/ssh/sshd_config

The following sections describe common configuration options. After making changes, save the file and restart the SSH service to apply them (covered in the “Apply Configuration Changes” section).

Rocky Linux 9 and 10: The SSH daemon uses a drop-in directory (/etc/ssh/sshd_config.d/) for configuration. The main config file includes these drop-ins at the top, and SSH uses the first value it encounters for each setting. To override defaults set in drop-in files like 50-redhat.conf, either add your settings to a file with a lower number (such as 01-custom.conf) or place them in sshd_config before the Include line.

Disable Root Login

Disabling direct root login forces administrators to authenticate as a regular user and then escalate privileges with sudo. This adds an extra layer of protection against brute-force attacks targeting the root account. Find or add the following line:

PermitRootLogin no

Before disabling root login, ensure you have another user account with sudo privileges. Otherwise, you may lock yourself out of the server.

Enable Public Key Authentication

Rocky Linux enables public key authentication by default. Verify or explicitly set the following directive:

PubkeyAuthentication yes

Once you have deployed keys to all authorized users, you can optionally disable password authentication entirely for maximum security:

PasswordAuthentication no

Configure Session Timeouts

Idle SSH sessions can pose a security risk if left unattended. Configure the server to send keep-alive messages and terminate unresponsive sessions. The following settings send a keep-alive every 5 minutes and disconnect after two missed responses (10 minutes of inactivity):

ClientAliveInterval 300
ClientAliveCountMax 2

Restrict Access to Specific Users or Groups

Limit SSH access to specific users or groups using the AllowUsers or AllowGroups directives. This prevents unauthorized accounts from connecting even if they have valid credentials:

AllowUsers admin deploy
AllowGroups sshusers

Replace admin, deploy, and sshusers with your actual usernames and group names. The server denies SSH access to users not on these lists.

Disable GSSAPI Authentication

Kerberos environments primarily use GSSAPI (Generic Security Services API) authentication. If you do not use Kerberos, disabling GSSAPI can speed up connection times by eliminating unnecessary authentication attempts:

GSSAPIAuthentication no

On Rocky 9 and 10, the 50-redhat.conf drop-in enables GSSAPI by default. To disable it, add this setting to /etc/ssh/sshd_config.d/01-custom.conf or place it before the Include line in the main config file.

Change the SSH Port

Changing the SSH port from the default 22 to a non-standard port reduces exposure to automated scanning and brute-force attempts. Choose a port between 1024 and 65535 that is not used by other services:

Port 2222

Rocky Linux uses SELinux by default, which restricts the ports that SSH can use. If you change the SSH port, you must update the SELinux policy before restarting sshd. See the “SELinux Port Configuration” section below.

SELinux Port Configuration

When running SSH on a non-standard port, SELinux blocks the daemon from binding to that port unless you add it to the allowed list. First, install the SELinux policy management tools if not already present:

sudo dnf install policycoreutils-python-utils -y

Then add your custom port to the SSH port type:

sudo semanage port -a -t ssh_port_t -p tcp 2222

Replace 2222 with your chosen port number. If the port is already defined for another service, semanage returns an error; in that case, use -m (modify) instead of -a (add).

Apply Configuration Changes

After modifying /etc/ssh/sshd_config, validate the syntax before restarting the service:

sudo sshd -t

If the command produces no output, the configuration passes validation. If there are errors, fix them before proceeding. Once validated, restart the SSH daemon to apply changes:

sudo systemctl restart sshd

If you are connected via SSH, keep your current session open and test the new configuration from a second terminal before disconnecting. This prevents lockouts if the new settings have issues.

Set Up Public Key Authentication

Public key authentication eliminates password-based login by using a cryptographic key pair. The private key stays on your local machine, while you copy the public key to the remote server. This approach offers better security and convenience for frequent connections.

Generate an SSH Key Pair

Generate a new key pair using the Ed25519 algorithm, which offers strong security with smaller key sizes than RSA:

ssh-keygen -t ed25519 -C "your_email@example.com"

The -C flag adds a comment (typically your email) to help identify the key. When prompted, accept the default file location or specify a custom path:

Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_ed25519
Your public key has been saved in /home/user/.ssh/id_ed25519.pub

Adding a passphrase provides an extra layer of protection: even if someone obtains your private key file, they cannot use it without the passphrase. For automated scripts, you may leave it empty, but for interactive use, we recommend adding a passphrase.

If you require RSA keys for compatibility with older systems, use ssh-keygen -t rsa -b 4096 instead. However, Ed25519 is preferred for modern systems due to its performance and security advantages.

Copy the Public Key to the Remote Server

Use ssh-copy-id to transfer your public key to the remote server and configure the correct permissions automatically:

ssh-copy-id username@remote_server

This command appends your public key to ~/.ssh/authorized_keys on the remote server. You will be prompted for your password one final time. After successful completion, test the key-based login:

ssh username@remote_server

If key authentication works correctly, you will connect without a password prompt (or with just your key passphrase if you set one).

Configure Firewalld for SSH Access

Rocky Linux uses firewalld as its default firewall. Before modifying firewall rules on a remote server, ensure you have console access or a secondary connection method in case you accidentally lock yourself out.

Allow SSH Through the Firewall

Default Rocky Linux installations typically pre-configure SSH in firewalld. Verify that the firewall allows SSH:

sudo firewall-cmd --list-services

If ssh appears in the output, you do not need additional configuration. If the output does not list SSH, add it permanently:

sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload

Verify the change took effect:

sudo firewall-cmd --list-services

Expected output includes ssh:

cockpit dhcpv6-client ssh

Allow a Custom SSH Port

If you changed the SSH port, open the new port in the firewall. First, remove the default SSH service (which opens port 22), then add your custom port:

sudo firewall-cmd --remove-service=ssh --permanent
sudo firewall-cmd --add-port=2222/tcp --permanent
sudo firewall-cmd --reload

Replace 2222 with your custom port number. Verify the port is open:

sudo firewall-cmd --list-ports

Expected output showing your custom port:

2222/tcp

Restrict SSH Access by IP Address

For additional security, you can limit SSH connections to specific IP addresses using firewalld rich rules. This is particularly useful for servers that should only accept connections from known management networks:

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="ssh" accept'
sudo firewall-cmd --reload

Replace 192.168.1.100 with your trusted IP address or CIDR range (such as 192.168.1.0/24 for an entire subnet).

Troubleshoot Common SSH Issues

This section covers common problems you may encounter when setting up or connecting via SSH.

Connection Refused

If you receive a “Connection refused” error, the SSH daemon may not be running or listening on the expected port. Check the service status:

sudo systemctl status sshd

If the service shows as stopped or failed, check the journal for errors:

sudo journalctl -xeu sshd

Common causes include syntax errors in /etc/ssh/sshd_config or SELinux blocking a custom port. Validate the configuration with sudo sshd -t before restarting.

Permission Denied (Public Key)

If key-based authentication fails with “Permission denied (publickey)”, check the following:

• Ensure your public key is in ~/.ssh/authorized_keys on the remote server
• Verify correct permissions: chmod 700 ~/.ssh and chmod 600 ~/.ssh/authorized_keys
• Confirm the home directory is not world-writable (chmod 755 ~ or stricter)
• Check that PubkeyAuthentication yes is set in /etc/ssh/sshd_config

For verbose debugging, connect with ssh -vvv username@remote_server to see detailed authentication negotiation.

SELinux Blocking Custom Port

If SSH fails to start after changing the port, SELinux may be blocking it. Check for denials:

sudo ausearch -m avc -ts recent | grep sshd

If you see denials related to binding to your custom port, add the port to the SSH SELinux type as described in the “SELinux Port Configuration” section above.

Firewall Blocking Connections

If connections time out rather than being refused, the firewall may be blocking traffic. Verify that the firewall allows SSH (or your custom port):

sudo firewall-cmd --list-all

Look for services: ssh or ports: 2222/tcp in the output. If missing, add the appropriate rule and reload the firewall.

Remove OpenSSH Server

If you no longer need the SSH server on your Rocky Linux system, you can remove it along with its dependencies.

First, stop and disable the service:

sudo systemctl stop sshd
sudo systemctl disable sshd

Then remove the package:

sudo dnf remove openssh-server -y

DNF automatically removes unused dependencies. The system preserves SSH host keys and configuration files in /etc/ssh/ by default in case you reinstall later. To completely remove all SSH configuration:

The following command permanently deletes SSH server configuration files, including the backup created earlier and the host keys. If you reinstall SSH later, the system will generate new host keys, and clients will see fingerprint mismatch warnings.

sudo rm -f /etc/ssh/sshd_config /etc/ssh/sshd_config.backup /etc/ssh/ssh_host_*

Verify removal by checking for the package:

rpm -qa | grep openssh-server

No output confirms successful removal.

Conclusion

You now have a fully configured SSH server on Rocky Linux with secure defaults, including key-based authentication, session timeouts, and proper firewall rules. For production environments, consider additional hardening measures such as installing fail2ban for brute-force protection, disabling password authentication entirely after deploying keys, and implementing port knocking for sensitive systems. Regular security updates with sudo dnf upgrade keep your SSH installation protected against newly discovered vulnerabilities.