How To Install SSH Server on Rocky Linux 10
Installing and configuring an SSH server on Rocky Linux 10 is essential for secure remote server management and administration. SSH (Secure Shell) provides encrypted communication between your local machine and remote servers, making it the backbone of modern Linux system administration. Rocky Linux 10, with its enterprise-grade stability and security features, offers robust SSH implementation through OpenSSH.
This comprehensive guide will walk you through every step of SSH server installation on Rocky Linux 10. You’ll learn how to install, configure, secure, and troubleshoot SSH services effectively. Whether you’re a system administrator managing multiple servers or a developer needing remote access to development environments, this tutorial provides the expertise needed for successful SSH deployment.
The process involves several critical components: OpenSSH server installation, service configuration, security hardening, firewall setup, and ongoing maintenance. Each step requires careful attention to security best practices and proper configuration management. By following this guide, you’ll establish a secure, reliable SSH infrastructure on your Rocky Linux 10 system.
Prerequisites and Requirements
Before beginning the SSH server installation process, ensure your Rocky Linux 10 system meets specific requirements and you have necessary access privileges.
System Requirements:
- Fresh or existing Rocky Linux 10 installation (minimal or full desktop environment)
- Root access or user account with sudo privileges
- Active network connection with internet access
- Minimum 512 MB RAM and 10 GB available disk space
Network Prerequisites:
Your system needs a properly configured network interface with either static or dynamic IP address assignment. Verify network connectivity using ping
commands to external hosts. Ensure DNS resolution works correctly, as SSH relies on proper hostname resolution for optimal performance.
Administrative Access:
You must have either direct root access or belong to the wheel group for sudo privileges. This access level is crucial for installing packages, modifying system configurations, and managing services. Verify your privileges by running sudo whoami
– it should return “root” if configured correctly.
Knowledge Prerequisites:
Basic familiarity with Linux command-line interface, file editing using nano or vim, and understanding of network concepts like ports and IP addresses will significantly enhance your success with this tutorial.
Understanding SSH on Rocky Linux 10
SSH represents a cryptographic network protocol designed for secure communication over unsecured networks. Rocky Linux 10 implements SSH through OpenSSH, an open-source suite providing encrypted remote login, file transfer, and tunneling capabilities.
SSH Architecture Overview:
The SSH protocol operates on a client-server model where the SSH daemon (sshd) runs continuously on the server, listening for incoming connections. Clients connect using SSH client software, establishing encrypted sessions for command execution, file transfers, or port forwarding. This architecture ensures all data transmission remains protected from eavesdropping and tampering.
OpenSSH Components in Rocky Linux 10:
Rocky Linux 10 includes several OpenSSH components: sshd
(the server daemon), ssh
(client for remote connections), scp
(secure copy for file transfers), sftp
(secure file transfer protocol), and ssh-keygen
(key generation utility). Each component serves specific purposes in the SSH ecosystem.
Security Features:
Modern OpenSSH implementations support multiple encryption algorithms including AES, ChaCha20, and 3DES. Authentication methods range from traditional password-based authentication to more secure public key cryptography. SSH also supports two-factor authentication, certificate-based authentication, and Kerberos integration for enterprise environments.
Default Configuration Location:
Rocky Linux 10 stores SSH configuration files in /etc/ssh/
. The main server configuration file sshd_config
contains global settings, while host keys reside in the same directory. Understanding these file locations is crucial for proper SSH management and troubleshooting.
Step-by-Step Installation Guide
Checking Current SSH Status
Before installing new SSH components, verify the current state of SSH services on your Rocky Linux 10 system. This preliminary check prevents conflicts and ensures clean installation.
Verify OpenSSH Installation:
rpm -qa | grep openssh-server
This command queries the RPM database for OpenSSH server packages. If OpenSSH server is already installed, you’ll see package information including version numbers. An empty result indicates the server package isn’t installed.
Check SSH Service Status:
sudo systemctl status sshd
The systemctl command displays comprehensive service information including current status (active, inactive, or failed), recent log entries, and service configuration details. Understanding service states helps determine necessary installation or configuration steps.
Verify SSH Process:
ps aux | grep sshd
This process listing shows running SSH daemons and their process IDs. Active SSH processes indicate the service is operational, while absence suggests the service needs starting or installation.
Installing OpenSSH Server
System Update Preparation:
Begin with system updates to ensure package compatibility and security patches:
sudo dnf update -y
Updating the system before package installation prevents dependency conflicts and ensures you’re working with the latest package versions. The -y
flag automatically confirms update prompts.
Install OpenSSH Server Package:
sudo dnf install openssh-server -y
DNF (Dandified YUM) package manager handles dependency resolution automatically. The installation process downloads the OpenSSH server package and all required dependencies. Typical dependencies include OpenSSL libraries, systemd service files, and configuration templates.
Install OpenSSH Clients (Optional):
sudo dnf install openssh-clients -y
Client tools enable SSH connections to other systems from your Rocky Linux 10 server. This installation includes ssh, scp, sftp, and related utilities essential for comprehensive SSH functionality.
Verify Installation:
rpm -qi openssh-server
Query package information to confirm successful installation. This command displays package version, installation date, description, and file list. Verification ensures all components installed correctly.
Service Management
Enable SSH Service:
sudo systemctl enable sshd
Enabling the SSH service configures automatic startup during system boot. This setting persists across reboots, ensuring SSH availability without manual intervention.
Start SSH Service:
sudo systemctl start sshd
Starting the service immediately activates SSH functionality without requiring system restart. The daemon begins listening for incoming connections on the configured port (default 22).
Check Service Status:
sudo systemctl status sshd
Status verification confirms the service started successfully and displays current operational state. Look for “active (running)” status and recent log entries indicating successful startup.
Service Management Commands:
Understanding additional service management commands proves valuable for ongoing maintenance:
sudo systemctl restart sshd
– Restart service (stops and starts)sudo systemctl reload sshd
– Reload configuration without stoppingsudo systemctl stop sshd
– Stop service immediately
Initial Configuration Verification
Check SSH Port Binding:
sudo netstat -tlnp | grep :22
This command verifies SSH daemon is listening on port 22. The output should show “LISTEN” status with the sshd process ID. If using a custom port, replace “22” with your configured port number.
Review Default Configuration:
sudo cat /etc/ssh/sshd_config | grep -v "^#" | grep -v "^$"
Display active configuration settings by filtering out comments and empty lines. This review helps understand current settings before making modifications.
Check SSH Host Keys:
sudo ls -la /etc/ssh/ssh_host_*
Host keys authenticate the server to connecting clients. Multiple key types (RSA, ECDSA, Ed25519) provide compatibility with different client implementations. Verify key files exist and have proper permissions (600 for private keys, 644 for public keys).
Verify SSH Daemon Logs:
sudo journalctl -u sshd --no-pager
System logs reveal startup messages, configuration errors, and operational status. Recent log entries should indicate successful service startup without error messages.
Basic Configuration
SSH Configuration File Overview
Configuration File Location:
The primary SSH server configuration resides in /etc/ssh/sshd_config
. This file controls all SSH daemon behavior including authentication methods, connection parameters, and security settings.
Backup Original Configuration:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
Creating configuration backups enables quick restoration if modifications cause issues. Always backup before making changes to critical system files.
Configuration Syntax:
SSH configuration uses simple directive-value pairs. Directives are case-insensitive, but values may be case-sensitive. Comments begin with hash symbols (#), and blank lines are ignored.
Essential Configuration Options
Port Configuration:
sudo nano /etc/ssh/sshd_config
Find the Port directive (usually commented) and modify:
Port 22
While port 22 is the SSH standard, changing to a non-standard port (like 2112 or 2222) reduces automated attack attempts. Ensure your chosen port doesn’t conflict with other services.
Protocol Version:
Protocol 2
SSH Protocol 2 offers superior security compared to the deprecated Protocol 1. Rocky Linux 10 defaults to Protocol 2, but explicit configuration ensures compatibility.
Authentication Settings:
PasswordAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
LoginGraceTime 60
MaxAuthTries 3
These settings control authentication methods and timing. LoginGraceTime
specifies connection timeout, while MaxAuthTries
limits authentication attempts per connection.
Connection Parameters:
MaxSessions 10
ClientAliveInterval 300
ClientAliveCountMax 2
Connection parameters manage session limits and keep-alive settings. ClientAliveInterval
sends keep-alive messages every 300 seconds, while ClientAliveCountMax
determines disconnection after missed responses.
Root Login Configuration
Root Login Options:
PermitRootLogin no
Disabling root login enhances security by requiring standard user accounts for initial connections. Alternative settings include:
yes
– Allow root login (not recommended)prohibit-password
– Allow root login only with keysforced-commands-only
– Allow root login only for specific commands
User Access Control:
AllowUsers alice bob charlie
AllowGroups sshusers
Access control directives restrict SSH access to specific users or groups. These settings provide granular control over system access.
Apply Configuration Changes
Configuration Syntax Check:
sudo sshd -t
Testing configuration syntax before applying changes prevents service failures. This command validates the configuration file and reports syntax errors without affecting the running service.
Restart SSH Service:
sudo systemctl restart sshd
Restarting applies configuration changes immediately. Use restart rather than reload for significant configuration modifications like port changes.
Verify Changes:
Test configuration changes by attempting SSH connections. Keep existing sessions open while testing to maintain access if issues occur.
Security Hardening
SSH Key Authentication Setup
Generate SSH Key Pairs:
ssh-keygen -t ed25519 -b 4096 -f ~/.ssh/id_ed25519
Ed25519 keys offer superior security and performance compared to RSA keys. The -b 4096
flag specifies key length, while -f
designates the output file location.
Alternative Key Generation (RSA):
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa
RSA keys remain widely compatible across different systems and SSH implementations. Use 4096-bit keys for enhanced security.
Copy Public Key to Server:
ssh-copy-id username@server_ip
This command automatically copies your public key to the server’s authorized_keys file. It handles file creation, permission setting, and key formatting automatically.
Manual Key Copying:
cat ~/.ssh/id_ed25519.pub | ssh username@server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Manual copying provides more control over the process and works when ssh-copy-id isn’t available.
Set Proper Permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Correct permissions are crucial for SSH key functionality. The .ssh directory requires 700 permissions, while authorized_keys needs 600 permissions.
Disable Password Authentication:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
After verifying key-based authentication works, disable password authentication to prevent brute force attacks.
Advanced Security Configuration
Change Default SSH Port:
Port 2112
Non-standard ports reduce automated scanning and attack attempts. Choose ports above 1024 to avoid conflicts with system services.
SELinux Port Configuration:
sudo semanage port -a -t ssh_port_t -p tcp 2112
When changing SSH ports on SELinux-enabled systems, update SELinux policy to permit the new port. This command adds the custom port to the SSH service type.
Configure SSH Banners:
sudo nano /etc/ssh/banner.txt
Create a banner file with legal notices or security warnings:
WARNING: Unauthorized access to this system is prohibited.
All connections are monitored and recorded.
Then enable the banner in sshd_config:
Banner /etc/ssh/banner.txt
Implement Connection Limits:
MaxStartups 10:30:100
MaxAuthTries 3
LoginGraceTime 30
These settings limit concurrent connections and authentication attempts, mitigating denial-of-service attacks.
Protocol Restrictions:
Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512
Explicitly configure strong encryption algorithms and disable weak ciphers for enhanced security.
User Access Control
User and Group Restrictions:
AllowUsers alice bob@192.168.1.0/24
AllowGroups sshusers
DenyUsers guest nobody
Granular access controls restrict SSH access by username, group membership, or source IP address. Combine multiple restrictions for layered security.
Chroot Jail Configuration:
Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
PasswordAuthentication no
AllowTcpForwarding no
X11Forwarding no
Chroot jails isolate users within specific directories, preventing access to sensitive system areas. This configuration works well for SFTP-only users.
Firewall Configuration
Firewalld Setup
Install and Enable Firewalld:
sudo dnf install firewalld -y
sudo systemctl enable firewalld
sudo systemctl start firewalld
Firewalld provides dynamic firewall management with support for network zones and rich rules. It integrates seamlessly with Rocky Linux 10’s security model.
Check Firewall Status:
sudo systemctl status firewalld
sudo firewall-cmd --state
Verify firewalld is running and operational before configuring rules. The --state
option provides quick status confirmation.
SSH Service Rules
Allow SSH Service:
sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload
The SSH service rule automatically allows traffic on port 22. The --permanent
flag ensures rules persist across reboots.
Custom Port Configuration:
sudo firewall-cmd --remove-service=ssh --permanent
sudo firewall-cmd --add-port=2112/tcp --permanent
sudo firewall-cmd --reload
When using custom SSH ports, remove the default SSH service and add specific port rules.
IP Address Restrictions:
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="203.0.113.55" service name="ssh" accept' --permanent
Rich rules provide granular control over connection sources. This rule allows SSH only from a specific IP address.
Subnet-Based Rules:
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="2112" protocol="tcp" accept' --permanent
Subnet rules allow access from entire network ranges while maintaining security.
Verify Firewall Rules:
sudo firewall-cmd --list-all
sudo firewall-cmd --list-rich-rules
Regular rule verification ensures proper configuration and helps troubleshoot connectivity issues.
Testing SSH Connection
Local Connection Testing
Test SSH Service Locally:
ssh localhost
ssh username@127.0.0.1
Local testing verifies SSH daemon functionality without network complications. Successful local connections indicate proper service configuration.
Check SSH Process Details:
sudo ss -tlnp | grep :22
ps aux | grep sshd
Process monitoring confirms SSH daemon is listening correctly and consuming appropriate system resources.
Remote Connection Testing
Connect from Remote Client:
ssh username@server_ip
ssh username@server_ip -p 2112
Remote connections test complete SSH functionality including network connectivity, firewall rules, and authentication mechanisms.
Verbose Connection Testing:
ssh -v username@server_ip
ssh -vvv username@server_ip
Verbose output provides detailed connection information useful for troubleshooting authentication or network issues.
Windows Client Testing:
Windows users can test SSH connections using:
- Built-in OpenSSH client (Windows 10/11)
- PuTTY for graphical interface
- Windows Subsystem for Linux (WSL)
Connection with Key Files:
ssh -i ~/.ssh/id_ed25519 username@server_ip
Specify particular key files when using multiple SSH keys or non-default key locations.
Troubleshooting Common Issues
Service Startup Problems
Configuration File Errors:
sudo sshd -t
sudo journalctl -u sshd
Configuration syntax errors prevent SSH daemon startup. The test command identifies specific line numbers with errors, while journal logs provide detailed error messages.
Port Binding Issues:
sudo netstat -tlnp | grep :22
sudo lsof -i :22
Port conflicts occur when multiple services attempt to bind the same port. These commands identify processes using specific ports.
Permission Problems:
sudo ls -la /etc/ssh/
sudo restorecon -R /etc/ssh/
Incorrect file permissions or SELinux contexts prevent SSH service startup. The restorecon command repairs SELinux labels.
Connection Issues
Firewall Troubleshooting:
sudo firewall-cmd --list-all
sudo iptables -L
Verify firewall rules allow SSH traffic. Compare configured rules with actual iptables entries to identify discrepancies.
Network Connectivity:
ping server_ip
telnet server_ip 22
Basic network tests isolate connectivity issues from SSH-specific problems. Telnet tests port accessibility without SSH protocol overhead.
Authentication Failures:
ssh -vvv username@server_ip
sudo tail -f /var/log/secure
Authentication problems often stem from key permissions, user account issues, or configuration mismatches. Verbose SSH output and security logs provide diagnostic information.
Performance Issues
DNS Resolution:
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no username@server_ip
Slow connections often result from DNS resolution delays. This command bypasses host key checking for testing purposes.
MTU Optimization:
ssh -o IPQoS=throughput username@server_ip
Network performance issues may require MTU adjustments or quality-of-service optimizations.
Best Practices and Recommendations
Security Best Practices
Regular Security Updates:
sudo dnf update openssh-server
sudo dnf update --security
Maintain current SSH versions to address security vulnerabilities. Subscribe to Rocky Linux security announcements for timely updates.
Key Management:
Implement regular SSH key rotation (annually or biannually). Use strong passphrases for private keys and store them securely. Consider using SSH agent forwarding cautiously in trusted environments.
Access Monitoring:
sudo lastlog
sudo last
who
Regular access monitoring identifies unusual login patterns or unauthorized access attempts. Implement automated monitoring solutions for production environments.
Intrusion Detection:
Install and configure fail2ban for automated intrusion prevention:
sudo dnf install fail2ban
sudo systemctl enable fail2ban
Configure fail2ban to monitor SSH logs and automatically block suspicious IP addresses.
Operational Best Practices
Configuration Management:
Use version control systems like Git to track SSH configuration changes. Document all modifications with timestamps and rationale.
Backup Strategies:
sudo tar -czf ssh-backup-$(date +%Y%m%d).tar.gz /etc/ssh/
Regular configuration backups enable quick recovery from misconfigurations or system failures.
Documentation:
Maintain comprehensive documentation covering:
- User access procedures
- Configuration change processes
- Emergency access methods
- Contact information for system administrators
Performance Optimization:
Compression yes
TCPKeepAlive yes
ServerAliveInterval 60
Optimize SSH performance for specific network conditions and usage patterns.
High Availability:
Consider implementing redundant SSH services using load balancers or failover mechanisms for critical systems. Configure monitoring and alerting for SSH service availability.
Congratulations! You have successfully installed SSH. Thanks for using this tutorial for installing the SSH server on your Rocky Linux 10 system. For additional help or useful information, we recommend you check the official SSH website.