Here we are going to take a look at some of the options available to us when configuring OpenSSH server and discuss what they actually do, as per the RHCE objective.
All of our configuration changes will be made within the /etc/ssh/sshd_config file, as this is where server side configuration is maintained for OpenSSH by default.
In order to apply any changes made in this file, sshd will need to be restarted as shown below.
systemctl restart sshd
For further information on basic service management with systemctl, see our guide here.
Here are some of the most commonly modified directives in the OpenSSH daemon configuration file. Lines that begin with a “#” represent comments and are not part of the configuration.
Port specifies the TCP port that sshd will listen for connections on, by default this is port 22. Note that if you change the port here, you will also need to modify SELinux port labelling as well. SELinux port labelling is another RHCE objective so it’s also worth learning.
ListenAddress 0.0.0.0 ListenAddress ::
ListenAddress defines the local IP addresses that sshd should listen on, in this case we’re listening on 0.0.0.0, that is any IPv4 address on the system, and also :: which is any IPv6 address on the system.
SyslogFacility defines the facility code for syslog logging, this can be modified to change how messages are sent to syslog.
LoginGraceTime causes the server to disconnect after the specified amount of time has passed without a user successfully logging in.
PermitRootLogin defines whether or not the root user can log in via SSH. By default root can gain access through SSH, for increased security you may want to consider disabling this.
The AuthorizedKeysFile is simply a file on the server that contains public keys of users that are allowed to authenticate, by default this file exists as .ssh/authorized_keys.
PasswordAuthentication defines if authenticating with use of a password is allowed, the default is yes. This can be disabled by changing it to no in order to prevent users logging in via password. If this is done you will need to use some other method such as a public key.
PubkeyAuthentication controls if public key authentication is allowed, by default it is set to yes. This can be used in combination or instead of PasswordAuthentication.
Protocol can be set to either 1,2 or both. By default only version 2 is used, it is not recommended to enable version 1 as it is deemed insecure.
StrictModes specifies if sshd should check the permissions on the users files and home directory before allowing login, it should be successful only if these are not world writable.
ChallengeResponseAuthentication specifies whether we want to allow challenge response authentication, such as via PAM or something else. If you are aiming to disable password authentication with “PasswordAuthentication no”, this should also be set to no.
PermitEmptyPasswords should ideally be disabled, if PasswordAuthentication is set to yes then this allows login to accounts with empty passwords – luckily the default here is no which is definitely fine to keep.
AllowTcpForwarding specifies if TCP forwarding via SSH is allowed or not.
X11Forwarding is set to no by default, when enabled it allows X11 graphics to be forwarded via SSH.
UsePrivilegeSeparation specifies if sshd should use an unprivileged child process to handle incoming network traffic, once a user authenticates another process is created that has the privileges of that authenticated user. This helps to prevent privilege escalation by containing an attacker within the unprivileged process. By default this is set to yes, setting it to sandbox puts in place additional restrictions.
Banner simply specifies a file whose contents you wish to display to a user before authenticating, it can be useful to provide a message to the user advising them that the system is only intended for authorized users, for instance.
Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem is used to configure an external subsystem such as a file transfer daemon, here we are using it to make use of sftp-server, allowing for SFTP transfers via SSH.
KerberosAuthentication specifies if the password provided by the user will be checked by a Kerberos KDC, this may be enabled if you need to use Kerberos based authentication with SSH.
With UseDNS enabled sshd will look up the remote hostname and check that the IP address resolved maps back to the same IP address, by default it is set to yes and enabled however it is frequently set to no to help speed up SSH connections as the DNS resolution takes time to complete.
What did PAM ever do to you? This enables the Pluggable Authentication Module (PAM) interface, which is set to no by default.
AllowGroups group1 group2
AllowGroups lists group names that are allowed to log in via SSH. By default any group can log in via SSH, however this can be restricted here. The inverse can also be accomplished with DenyGroups.
AllowUsers alice bob
AllowUsers works similar to AllowGroups above, in that by default any user can log in via SSH however we can restrict this to a specific list of users if required. The inverse can also be accomplished with DenyUsers.
ChrootDirectory defines the path of a directory to use as a chroot environment after authentication, the user will not be able to exit the chrooted environment.
Match User alice X11Forwarding yes AllowTcpForwarding yes
Global settings can be overridden on a per user or group basis with the Match directive.The Match directive is a conditional block that only applies if the items on the line are met, for instance the above configuration will only apply to the user ‘alice’. Match needs to be placed towards the end of the file, as anything after the match line will apply if the Match criteria is satisfied, unless another Match block with new criteria is specified afterwards, in which case this will only apply if this new criteria is matched.
While we have covered some of the more commonly used sshd options that you should know for the RHCE exam, you can view the manual page for the /etc/ssh/sshd_config file for additional detailed information on all available options.
man 5 sshd_config
This manual page will be available during the RHCE exam and will be a very important resource to refer to should you be required to make any changes to the server side SSH configuration.
It is important to know how to modify the various configuration settings within the sshd_config file and apply them as required. While knowing how to do some of the most common tasks will save you time you can always refer to the man page for sshd_config which will list and detail all available options, keep this in mind if you’re taking the RHCE exam as it is a great resource to turn to.
This post is part of our Red Hat Certified Engineer (RHCE) exam study guide series. For more RHCE related posts and information check out our full RHCE study guide.