How to Install SSH on Rocky Linux 9 or 8

SSH (Secure Shell) is a secure protocol used to remotely access and manage Linux servers. It provides encrypted communication, ensuring the security of data transferred between the client and server. SSH is a fundamental tool for system administrators and developers, allowing them to perform various tasks such as executing commands, transferring files, and managing network services securely over an unsecured network.

To set up SSH on Rocky Linux 9 or 8, you can follow a straightforward installation process using the default repositories. This guide will walk you through the installation steps and provide tips on initial configuration to enhance security and usability.

Update Rocky Linux Before SSH Installation

Before installing and configuring SSH on Rocky Linux, it’s crucial to ensure that your system’s packages are current. This not only guarantees smoother operations but also minimizes potential software conflicts.

To update your Rocky Linux system, use the command:

sudo dnf upgrade --refresh

Install SSH via DNF Command

The next step involves verifying whether the OpenSSH server is already on your Rocky Linux system. This can be ascertained by executing the command:

rpm -qa | grep openssh-server

This command will return a relevant output if the OpenSSH server is installed. If there’s no output, it indicates the absence of the OpenSSH server on your system. To address this and install the OpenSSH server, use the following command:

sudo dnf install openssh-server

Enable SSH (SSHD) Service

After successfully installing the OpenSSH server, enabling the SSHD service within the systemd framework is imperative. This ensures that the SSH daemon initializes automatically after every system reboot. To achieve this, execute the command:

sudo systemctl enable sshd

With the SSHD service now set to auto-start, you can manually initiate the SSH server using:

sudo systemctl start sshd

For verification purposes and to ensure the SSH server is running without issues, you can check its status with:

sudo systemctl status sshd

To confirm that the default port (22) is now actively listening for incoming SSH connections, run:

sudo ss -lt

Connect to a Remote Server via SSH on Rocky Linux 9 or 8

With SSH appropriately set up on your Rocky Linux system, you can now establish connections to remote servers. Here’s a detailed breakdown of how to utilize SSH for various connection scenarios:

Connecting Using Password Authentication with SSH on Rocky Linux

To establish a connection to a remote server using SSH with password-based authentication, employ the command:

ssh username@remote_server

Here, replace “username” with your actual username and “remote_server” with the IP address or hostname of the desired remote server. Upon execution, you’ll be prompted to input your password for authentication.

Connecting Using Public Key Authentication with SSH

SSH offers public key authentication for those preferring a more secure connection method. To connect using this method, the command is:

ssh -i /path/to/private_key username@remote_server

In this command, replace “/path/to/private_key” with the path leading to your private key file. Similarly, replace “username” with your username and “remote_server” with the IP address or hostname of the remote server. This method bypasses the need for password input, relying instead on the provided private key for authentication.

Specifying an Alternate Port for Connection with SSH

While SSH defaults to port 22 for connections, some remote servers might operate on different ports. To specify an alternate port during connection, use:

ssh -p 2222 username@remote_server

In this example, replace “2222” with the port number the remote server utilizes.

Secure File Transfer with SCP with SSH

SCP, or Secure Copy, is a potent command-line utility that facilitates the secure transfer of files between systems via SSH. To transfer a file from your local Rocky Linux system to a remote server, the command is:

scp /path/to/local/file username@remote_server:/path/to/remote/directory

Replace “/path/to/local/file” with the file path you intend to transfer. Similarly, adjust “username” to your username, “remote_server” to the IP address or hostname of the remote server, and “/path/to/remote/directory” to the directory path on the remote server where you wish to place the transferred file.

Configure SSH on Rocky Linux

Optimizing the SSH configuration can enhance your server’s security and performance. The SSH configuration file, located at /etc/ssh/sshd_config, contains various parameters that can be adjusted to suit specific needs. While the following configurations are merely examples, they can be beneficial depending on your server or desktop setup.

Disabling GSSAPI Authentication for SSH

GSSAPI authentication, while helpful, can sometimes introduce delays during SSH connection establishment. To mitigate this, you can disable it by appending the line below to the SSH configuration file:

GSSAPIAuthentication no

Modifying SSH Session Timeouts for SSH

Adjusting session timeouts can help manage inactive SSH sessions. To set the server to send a keep-alive message every 5 minutes and terminate the session if two consecutive messages go unanswered, add:

ClientAliveInterval 300
ClientAliveCountMax 2

Prohibiting Root Login for SSH

For enhanced security, especially against brute-force attacks, it’s advisable to disable root login. This can be achieved with:

PermitRootLogin no

Implementing Public Key Authentication for SSH

Public key authentication offers a more secure alternative to password-based methods. To set this up, first you need to generate a new SSH key pair:

ssh-keygen -t rsa -b 4096

Next, transfer the public key to the desired remote server:

ssh-copy-id user@remote_server

Ensure you replace “user” with your username and “remote_server” with the appropriate IP address or hostname. Lastly, enable public key authentication in the SSH configuration:

PubkeyAuthentication yes

Restricting SSH Access for SSH

You can limit SSH access to specific users or groups for added security. To implement this, add:

AllowUsers user1 user2
AllowGroups group1 group2

Replace the placeholders with the actual usernames or group names you wish to grant access.

Altering the SSH Port for SSH

SSH, by default, operates on port 22. Given its notoriety, changing this port can deter unauthorized access attempts. To assign a new port, use:

Port <port_number>

It’s advisable to select a port number between 1024 and 65535 that isn’t occupied by another service.

Secure SSH with Firewalld

Ensure uninterrupted access when working with a VPS or a remote server environment. Before making any changes to Firewalld, especially if you’re accessing the system remotely, it’s imperative to whitelist your IP address. Failing to do so might inadvertently lock you out of the server after applying the firewall changes.

To whitelist your IP address in Firewalld, use the following command:

sudo firewall-cmd --permanent --add-source=<your_ip_address>

Replace <your_ip_address> with your actual IP address.

Once your IP address is whitelisted, you can safely incorporate the SSH service into Firewalld:

sudo firewall-cmd --add-service=ssh --permanent

After making the necessary adjustments, apply the new Firewalld configuration:

sudo firewall-cmd --reload

To verify the inclusion of the SSH service in Firewalld, run the following:

sudo firewall-cmd --list-services | grep ssh

This command will confirm if the SSH service is duly permitted through the firewall, ensuring your remote connections remain secure and accessible.

Conclusion

With SSH successfully installed and configured on your Rocky Linux system, you can securely manage your server remotely. Regularly update your SSH configurations and apply best practices to maintain security. By following the initial setup tips, you ensure a more secure and efficient remote management experience. Enjoy the robust capabilities that SSH offers for secure server administration.