RHEL7: Configure additional SSH options described in documentation.

Share this link

Note: This is an RHCE 7 exam objective.

Configuration Procedure

Install the SSH service if it is not already there:

# yum install -y openssh-server

Activate the SSH service at boot:

# systemctl enable sshd

Start the SSH service:

# systemctl start sshd

Add a new service to the firewall:

# firewall-cmd --permanent --add-service=ssh

Reload the firewall configuration:

# firewall-cmd --reload

Let’s open the /etc/ssh/sshd_config file and discuss its content:

Port 22                                 # defines listening port for ssh
AddressFamily any                       # accepts IPv4 et IPv6 addresses
ListenAddress 0.0.0.0                   # allows ssh to listen on all network interfaces
ListenAddress ::                        # listens on IPv6 addresses too
Protocol 2                              # defines version of ssh (version 1 is not used any more)
SyslogFacility AUTHPRIV                 # stores logging attempts in /var/log/secure (see rsyslog.conf file)
LoginGraceTime 2m                       # sets the time to connect
PermitRootLogin yes                     # allows direct login as root: outside lab, this option should be set to 'no'
StrictModes yes                         # allows connection only if the user's home directory is not world-writable
MaxAuthTries 6                          # defines the number of authentication attempts allowed
MaxSessions 10                          # defines the limit of simultaneous open connections
PubKeyAuthentication yes                # enables public key authentication
AuthorizedKeysFile .ssh/authorized_keys # defines the location of the authorized-keys file
HostbasedAuthentication no              # forbids the use of /etc/hosts.equiv
IgnoreUserKnownHosts no                 # reads the .ssh/known_hosts at each connection
IgnoreRhosts yes                        # doesn't read user's ~/.rhosts file
PasswordAuthentication yes              # sets password-based authentication
PermitEmptyPasswords no                 # doesn't allow empty passwords (hopefully!)
ChallengeResponseAuthentication no      # forbids use of one-time passwords
UsePAM yes                              # enables the Pluggable Authentication Module interface
AllowAgentForwarding yes                # allows the ssh-agent to forward private keys
AllowTCPForwarding yes                  # allows TCP communications to be forwarded
GatewayPorts no                         # prevents remote hosts from connecting to ports forwarded for the client
X11Forwarding yes                       # enables X11 forwarding
X11DisplayOffset 10                     # limits the number of GUI display open at the same time
X11UseLocalhost yes                     # defines how the GUI display is bound to the SSH server
PrintMotd yes                           # displays the message of the day
PrintLastLog yes                        # displays the date of the last login
TCPKeepAlive yes                        # allows the system to send TCP keepalive messages
UseLogin no                             # specifies whether login is used for interactive login session
UsePrivilegeSeparation yes              # separates incoming network traffic processing from the rest
PermitUserEnvironment no                # doesn't deal with environment options
Compression delayed                     # specifies that compression is delayed until user authentication
ClientAliveInterval 0                   # doesn't send any message before client deconnection
ClientAliveCountMax 3                   # defines the number of messages before client deconnection
-                                       # if ClientAliveInterval is different from 0
UseDNS yes                              # checks remote hostnames against DNS
PidFile /var/run/sshd.pid               # defines the file where the SSH process ID is stored
MaxStartups 10                          # defines the number of terminals simultaneously allowed
PermitTunnel no                         # doesn't support device forwarding
ChrootDirectory none                    # disables the use of chroot
Subsystem sftp /usr/libexec/openssh/sftp-server # supports the use of SSH encryption for SFTP file transfers

Additional Resources

You can also have a look at this OpenSSH primer.

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...
15 comments on “RHEL7: Configure additional SSH options described in documentation.
  1. codingberg says:

    I found DenyUsers,AllowUsers,DenyGroups,AllowGroups options in sshd_config useful to limit ssh access to certain hosts and login users/groups. That’s when using user/password credentials.

    Example1: (/etc/ssh/sshd_config)

    //allow users only from ip 10.0.1.100
    AllowUsers *@10.0.1.100

    //allow only wheel group to access
    AllowGroups wheel

    For securing key-based access, you should check ‘man sshd’ and navigate to AUTHORIZED_KEYS file format. You can add “from=” and “command=” prefixes to limit Pubkey authenticated sessions to access from certain hosts or to execute only some particular commands.

    Example2: (~/.ssh/authorized_hosts)
    // allow 10.0.1.100 to do pubkey authentication and execute ps command (no interactive shell).
    from=”10.0.1.100″,command=”ps aux” ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDzf8glreEBwm0zd0nU6kNVXpjc2AFiCkfOdVfE6QhHhvkd/t+VIatrPWSDStnixDQAJCqlBtegKxh8b1C0oYmAAGUNPhgtMqYHm5jrQOYm2uempXg8ai11qPpEI7sdy7a89Mb7ultOA1Ie7vhc0DdU8Imiwq5/EZq/lT+ZQzZQdLlzAnyp9Khs67SBS3HeR8iZJyL8tMr7ZEtD+u5wOrCuFvldtqxFYbrDNgJ2mwsScokiEYR7PznN1GpUaGW0AaCCGWlguqtuwM2V9M4u4WjiG8yuBpCI42N5Be8vNmJt6d7AbolYo3TkezYrU8Y/jrBZONAPmZ1khxf9MwmbAtyD

  2. alexritm says:

    what particular tasks can be requested on the exam regarding additional options from /etc/ssh/sshd_config?

  3. alexritm says:

    what about SSH tunelling? is it needed to know?

  4. benny says:

    hi,

    how do you disallow access from certain hostname to the ssh ?

    • CertDepot says:

      I think you need to use tcpwrapper and the /etc/hosts.deny file.

      • hunter86_bg says:

        Or use the firewall…

        • Lisenet says:

          This won’t work if hostname changes it’s IP address over time, as firewall records will be IP based, not DNS based.

          • hunter86_bg says:

            Setting multiple rules in tcp.wrappers is also not a good solution. FQDNs rarely change their IPs in the enterprise. At least – it never happened to me.

          • Lisenet says:

            Can you give us a reason why it’s not a good solution? What would you advise as a good solution then?

            My point is that regardless of your personal experience, adding FQDNs to firewall is not a reliable solution.

          • hunter86_bg says:

            Adding multiple rules in the /etc/hosts.allow and /etc/hosts.deny will slow down the processing of any connection.
            Imagine a MySQL Server where you have 2000 requests/per second. Now Add 100 lines in /etc/hosts.deny and all those requests will get slower.
            Now you can imagine the situation with an Oracle DB which outperforms MySQL way more…

            FQDNs in firewall – I agree that this is not a solution.I meant to use the IP of the hostname and put it in the iptables/firewalld.
            Of course we can use Fail2Ban in a situation where you need to prevent spammers/abusers.

          • Lisenet says:

            I think you got carried away a bit. OP asked for how to disallow access from certain hostname via SSH. Where does MySQL/Oracle come from?

            Putting host names in hosts.allow or hosts.deny means the server will do a reverse DNS lookup to get the domain name for the IP address. This will slow down an SSH connection, but that is expected.

            Can you elaborate on how adding hosts entries for an SSH service impacts MySQL/Oracle server? Database connections don’t do any reverse lookups.

            And another thing, if you have SSH available to the world on a MySQL/Oracle server so that you need to block domains from accessing the server, you are simply doing it wrong. A database server must not have SSH visible to the world – it should be placed behind a VPN etc.

Leave a Reply

Upcoming Events (Local Time)

There are no events.

RHCSA7: Task of the day

Allowed time: 5 minutes.
Add 100MB of swap space to the machine using a new logical volume.

RHCE7: Task of the day

Allowed time: 10 minutes.
Configure a system to forward all email to a central mail server at 192.168.1.1 (change the IP address accordingly).

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...