RHEL7: Configure additional SSH options described in documentation.

Share this link

Note: This is an RHCE 7 exam objective.

Configuration Procedure

Install the SSH service if it is not already there:

# yum install -y openssh-server

Activate the SSH service at boot:

# systemctl enable sshd

Start the SSH service:

# systemctl start sshd

Add a new service to the firewall:

# firewall-cmd --permanent --add-service=ssh

Reload the firewall configuration:

# firewall-cmd --reload

Let’s open the /etc/ssh/sshd_config file and discuss its content:

Port 22                                 # defines listening port for ssh
AddressFamily any                       # accepts IPv4 et IPv6 addresses
ListenAddress                   # allows ssh to listen on all network interfaces
ListenAddress ::                        # listens on IPv6 addresses too
Protocol 2                              # defines version of ssh (version 1 is not used any more)
SyslogFacility AUTHPRIV                 # stores logging attempts in /var/log/secure (see rsyslog.conf file)
LoginGraceTime 2m                       # sets the time to connect
PermitRootLogin yes                     # allows direct login as root: outside lab, this option should be set to 'no'
StrictModes yes                         # allows connection only if the user's home directory is not world-writable
MaxAuthTries 6                          # defines the number of authentication attempts allowed
MaxSessions 10                          # defines the limit of simultaneous open connections
PubKeyAuthentication yes                # enables public key authentication
AuthorizedKeysFile .ssh/authorized_keys # defines the location of the authorized-keys file
HostbasedAuthentication no              # forbids the use of /etc/hosts.equiv
IgnoreUserKnownHosts no                 # reads the .ssh/known_hosts at each connection
IgnoreRhosts yes                        # doesn't read user's ~/.rhosts file
PasswordAuthentication yes              # sets password-based authentication
PermitEmptyPasswords no                 # doesn't allow empty passwords (hopefully!)
ChallengeResponseAuthentication no      # forbids use of one-time passwords
UsePAM yes                              # enables the Pluggable Authentication Module interface
AllowAgentForwarding yes                # allows the ssh-agent to forward private keys
AllowTCPForwarding yes                  # allows TCP communications to be forwarded
GatewayPorts no                         # prevents remote hosts from connecting to ports forwarded for the client
X11Forwarding yes                       # enables X11 forwarding
X11DisplayOffset 10                     # limits the number of GUI display open at the same time
X11UseLocalhost yes                     # defines how the GUI display is bound to the SSH server
PrintMotd yes                           # displays the message of the day
PrintLastLog yes                        # displays the date of the last login
TCPKeepAlive yes                        # allows the system to send TCP keepalive messages
UseLogin no                             # specifies whether login is used for interactive login session
UsePrivilegeSeparation yes              # separates incoming network traffic processing from the rest
PermitUserEnvironment no                # doesn't deal with environment options
Compression delayed                     # specifies that compression is delayed until user authentication
ClientAliveInterval 0                   # doesn't send any message before client deconnection
ClientAliveCountMax 3                   # defines the number of messages before client deconnection
-                                       # if ClientAliveInterval is different from 0
UseDNS yes                              # checks remote hostnames against DNS
PidFile /var/run/sshd.pid               # defines the file where the SSH process ID is stored
MaxStartups 10                          # defines the number of terminals simultaneously allowed
PermitTunnel no                         # doesn't support device forwarding
ChrootDirectory none                    # disables the use of chroot
Subsystem sftp /usr/libexec/openssh/sftp-server # supports the use of SSH encryption for SFTP file transfers

Additional Resources

You can also have a look at this OpenSSH primer.

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)

Leave a Reply

Please Login to comment
4 Comment threads
11 Thread replies
Most reacted comment
Hottest comment thread
6 Comment authors
hunter86_bgLisenetbennyalexritmCertDepot Recent comment authors
newest oldest
Notify of

I found DenyUsers,AllowUsers,DenyGroups,AllowGroups options in sshd_config useful to limit ssh access to certain hosts and login users/groups. That’s when using user/password credentials.

Example1: (/etc/ssh/sshd_config)

//allow users only from ip
AllowUsers *@

//allow only wheel group to access
AllowGroups wheel

For securing key-based access, you should check ‘man sshd’ and navigate to AUTHORIZED_KEYS file format. You can add “from=” and “command=” prefixes to limit Pubkey authenticated sessions to access from certain hosts or to execute only some particular commands.

Example2: (~/.ssh/authorized_hosts)
// allow to do pubkey authentication and execute ps command (no interactive shell).
from=”″,command=”ps aux” ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDzf8glreEBwm0zd0nU6kNVXpjc2AFiCkfOdVfE6QhHhvkd/t+VIatrPWSDStnixDQAJCqlBtegKxh8b1C0oYmAAGUNPhgtMqYHm5jrQOYm2uempXg8ai11qPpEI7sdy7a89Mb7ultOA1Ie7vhc0DdU8Imiwq5/EZq/lT+ZQzZQdLlzAnyp9Khs67SBS3HeR8iZJyL8tMr7ZEtD+u5wOrCuFvldtqxFYbrDNgJ2mwsScokiEYR7PznN1GpUaGW0AaCCGWlguqtuwM2V9M4u4WjiG8yuBpCI42N5Be8vNmJt6d7AbolYo3TkezYrU8Y/jrBZONAPmZ1khxf9MwmbAtyD


what particular tasks can be requested on the exam regarding additional options from /etc/ssh/sshd_config?


what about SSH tunelling? is it needed to know?



how do you disallow access from certain hostname to the ssh ?

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create two users "tom" and "engine". "tom" has the UID/GID 3000 and "engine" the UID/GID 4000. "engine" doesn't have an interactive shell.

RHCE7: Task of the day

Allowed time: 15 minutes.
Configure a httpd server with a password protected directory under the /var/www/html/private directory.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...