RHEL BasedRocky Linux

How To Install SSH Server on Rocky Linux 10

Install SSH Server on Rocky Linux 10

Installing and configuring an SSH server on Rocky Linux 10 is essential for secure remote server management and administration. SSH (Secure Shell) provides encrypted communication between your local machine and remote servers, making it the backbone of modern Linux system administration. Rocky Linux 10, with its enterprise-grade stability and security features, offers robust SSH implementation through OpenSSH.

This comprehensive guide will walk you through every step of SSH server installation on Rocky Linux 10. You’ll learn how to install, configure, secure, and troubleshoot SSH services effectively. Whether you’re a system administrator managing multiple servers or a developer needing remote access to development environments, this tutorial provides the expertise needed for successful SSH deployment.

The process involves several critical components: OpenSSH server installation, service configuration, security hardening, firewall setup, and ongoing maintenance. Each step requires careful attention to security best practices and proper configuration management. By following this guide, you’ll establish a secure, reliable SSH infrastructure on your Rocky Linux 10 system.

Prerequisites and Requirements

Before beginning the SSH server installation process, ensure your Rocky Linux 10 system meets specific requirements and you have necessary access privileges.

System Requirements:

  • Fresh or existing Rocky Linux 10 installation (minimal or full desktop environment)
  • Root access or user account with sudo privileges
  • Active network connection with internet access
  • Minimum 512 MB RAM and 10 GB available disk space

Network Prerequisites:
Your system needs a properly configured network interface with either static or dynamic IP address assignment. Verify network connectivity using ping commands to external hosts. Ensure DNS resolution works correctly, as SSH relies on proper hostname resolution for optimal performance.

Administrative Access:
You must have either direct root access or belong to the wheel group for sudo privileges. This access level is crucial for installing packages, modifying system configurations, and managing services. Verify your privileges by running sudo whoami – it should return “root” if configured correctly.

Knowledge Prerequisites:
Basic familiarity with Linux command-line interface, file editing using nano or vim, and understanding of network concepts like ports and IP addresses will significantly enhance your success with this tutorial.

Understanding SSH on Rocky Linux 10

SSH represents a cryptographic network protocol designed for secure communication over unsecured networks. Rocky Linux 10 implements SSH through OpenSSH, an open-source suite providing encrypted remote login, file transfer, and tunneling capabilities.

SSH Architecture Overview:
The SSH protocol operates on a client-server model where the SSH daemon (sshd) runs continuously on the server, listening for incoming connections. Clients connect using SSH client software, establishing encrypted sessions for command execution, file transfers, or port forwarding. This architecture ensures all data transmission remains protected from eavesdropping and tampering.

OpenSSH Components in Rocky Linux 10:
Rocky Linux 10 includes several OpenSSH components: sshd (the server daemon), ssh (client for remote connections), scp (secure copy for file transfers), sftp (secure file transfer protocol), and ssh-keygen (key generation utility). Each component serves specific purposes in the SSH ecosystem.

Security Features:
Modern OpenSSH implementations support multiple encryption algorithms including AES, ChaCha20, and 3DES. Authentication methods range from traditional password-based authentication to more secure public key cryptography. SSH also supports two-factor authentication, certificate-based authentication, and Kerberos integration for enterprise environments.

Default Configuration Location:
Rocky Linux 10 stores SSH configuration files in /etc/ssh/. The main server configuration file sshd_config contains global settings, while host keys reside in the same directory. Understanding these file locations is crucial for proper SSH management and troubleshooting.

Step-by-Step Installation Guide

Checking Current SSH Status

Before installing new SSH components, verify the current state of SSH services on your Rocky Linux 10 system. This preliminary check prevents conflicts and ensures clean installation.

Verify OpenSSH Installation:

rpm -qa | grep openssh-server

This command queries the RPM database for OpenSSH server packages. If OpenSSH server is already installed, you’ll see package information including version numbers. An empty result indicates the server package isn’t installed.

Check SSH Service Status:

sudo systemctl status sshd

The systemctl command displays comprehensive service information including current status (active, inactive, or failed), recent log entries, and service configuration details. Understanding service states helps determine necessary installation or configuration steps.

Verify SSH Process:

ps aux | grep sshd

This process listing shows running SSH daemons and their process IDs. Active SSH processes indicate the service is operational, while absence suggests the service needs starting or installation.

Installing OpenSSH Server

System Update Preparation:
Begin with system updates to ensure package compatibility and security patches:

sudo dnf update -y

Updating the system before package installation prevents dependency conflicts and ensures you’re working with the latest package versions. The -y flag automatically confirms update prompts.

Install OpenSSH Server Package:

sudo dnf install openssh-server -y

DNF (Dandified YUM) package manager handles dependency resolution automatically. The installation process downloads the OpenSSH server package and all required dependencies. Typical dependencies include OpenSSL libraries, systemd service files, and configuration templates.

Install OpenSSH Clients (Optional):

sudo dnf install openssh-clients -y

Client tools enable SSH connections to other systems from your Rocky Linux 10 server. This installation includes ssh, scp, sftp, and related utilities essential for comprehensive SSH functionality.

Verify Installation:

rpm -qi openssh-server

Query package information to confirm successful installation. This command displays package version, installation date, description, and file list. Verification ensures all components installed correctly.

Service Management

Enable SSH Service:

sudo systemctl enable sshd

Enabling the SSH service configures automatic startup during system boot. This setting persists across reboots, ensuring SSH availability without manual intervention.

Start SSH Service:

sudo systemctl start sshd

Starting the service immediately activates SSH functionality without requiring system restart. The daemon begins listening for incoming connections on the configured port (default 22).

Check Service Status:

sudo systemctl status sshd

Status verification confirms the service started successfully and displays current operational state. Look for “active (running)” status and recent log entries indicating successful startup.

Service Management Commands:
Understanding additional service management commands proves valuable for ongoing maintenance:

  • sudo systemctl restart sshd – Restart service (stops and starts)
  • sudo systemctl reload sshd – Reload configuration without stopping
  • sudo systemctl stop sshd – Stop service immediately

Initial Configuration Verification

Check SSH Port Binding:

sudo netstat -tlnp | grep :22

This command verifies SSH daemon is listening on port 22. The output should show “LISTEN” status with the sshd process ID. If using a custom port, replace “22” with your configured port number.

Review Default Configuration:

sudo cat /etc/ssh/sshd_config | grep -v "^#" | grep -v "^$"

Display active configuration settings by filtering out comments and empty lines. This review helps understand current settings before making modifications.

Check SSH Host Keys:

sudo ls -la /etc/ssh/ssh_host_*

Host keys authenticate the server to connecting clients. Multiple key types (RSA, ECDSA, Ed25519) provide compatibility with different client implementations. Verify key files exist and have proper permissions (600 for private keys, 644 for public keys).

Verify SSH Daemon Logs:

sudo journalctl -u sshd --no-pager

System logs reveal startup messages, configuration errors, and operational status. Recent log entries should indicate successful service startup without error messages.

Basic Configuration

SSH Configuration File Overview

Configuration File Location:
The primary SSH server configuration resides in /etc/ssh/sshd_config. This file controls all SSH daemon behavior including authentication methods, connection parameters, and security settings.

Backup Original Configuration:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

Creating configuration backups enables quick restoration if modifications cause issues. Always backup before making changes to critical system files.

Configuration Syntax:
SSH configuration uses simple directive-value pairs. Directives are case-insensitive, but values may be case-sensitive. Comments begin with hash symbols (#), and blank lines are ignored.

Essential Configuration Options

Port Configuration:

sudo nano /etc/ssh/sshd_config

Find the Port directive (usually commented) and modify:

Port 22

While port 22 is the SSH standard, changing to a non-standard port (like 2112 or 2222) reduces automated attack attempts. Ensure your chosen port doesn’t conflict with other services.

Protocol Version:

Protocol 2

SSH Protocol 2 offers superior security compared to the deprecated Protocol 1. Rocky Linux 10 defaults to Protocol 2, but explicit configuration ensures compatibility.

Authentication Settings:

PasswordAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
LoginGraceTime 60
MaxAuthTries 3

These settings control authentication methods and timing. LoginGraceTime specifies connection timeout, while MaxAuthTries limits authentication attempts per connection.

Connection Parameters:

MaxSessions 10
ClientAliveInterval 300
ClientAliveCountMax 2

Connection parameters manage session limits and keep-alive settings. ClientAliveInterval sends keep-alive messages every 300 seconds, while ClientAliveCountMax determines disconnection after missed responses.

Root Login Configuration

Root Login Options:

PermitRootLogin no

Disabling root login enhances security by requiring standard user accounts for initial connections. Alternative settings include:

  • yes – Allow root login (not recommended)
  • prohibit-password – Allow root login only with keys
  • forced-commands-only – Allow root login only for specific commands

User Access Control:

AllowUsers alice bob charlie
AllowGroups sshusers

Access control directives restrict SSH access to specific users or groups. These settings provide granular control over system access.

Apply Configuration Changes

Configuration Syntax Check:

sudo sshd -t

Testing configuration syntax before applying changes prevents service failures. This command validates the configuration file and reports syntax errors without affecting the running service.

Restart SSH Service:

sudo systemctl restart sshd

Restarting applies configuration changes immediately. Use restart rather than reload for significant configuration modifications like port changes.

Verify Changes:
Test configuration changes by attempting SSH connections. Keep existing sessions open while testing to maintain access if issues occur.

Security Hardening

SSH Key Authentication Setup

Generate SSH Key Pairs:

ssh-keygen -t ed25519 -b 4096 -f ~/.ssh/id_ed25519

Ed25519 keys offer superior security and performance compared to RSA keys. The -b 4096 flag specifies key length, while -f designates the output file location.

Alternative Key Generation (RSA):

ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa

RSA keys remain widely compatible across different systems and SSH implementations. Use 4096-bit keys for enhanced security.

Copy Public Key to Server:

ssh-copy-id username@server_ip

This command automatically copies your public key to the server’s authorized_keys file. It handles file creation, permission setting, and key formatting automatically.

Manual Key Copying:

cat ~/.ssh/id_ed25519.pub | ssh username@server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Manual copying provides more control over the process and works when ssh-copy-id isn’t available.

Set Proper Permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Correct permissions are crucial for SSH key functionality. The .ssh directory requires 700 permissions, while authorized_keys needs 600 permissions.

Disable Password Authentication:

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

After verifying key-based authentication works, disable password authentication to prevent brute force attacks.

Advanced Security Configuration

Change Default SSH Port:

Port 2112

Non-standard ports reduce automated scanning and attack attempts. Choose ports above 1024 to avoid conflicts with system services.

SELinux Port Configuration:

sudo semanage port -a -t ssh_port_t -p tcp 2112

When changing SSH ports on SELinux-enabled systems, update SELinux policy to permit the new port. This command adds the custom port to the SSH service type.

Configure SSH Banners:

sudo nano /etc/ssh/banner.txt

Create a banner file with legal notices or security warnings:

WARNING: Unauthorized access to this system is prohibited.
All connections are monitored and recorded.

Then enable the banner in sshd_config:

Banner /etc/ssh/banner.txt

Implement Connection Limits:

MaxStartups 10:30:100
MaxAuthTries 3
LoginGraceTime 30

These settings limit concurrent connections and authentication attempts, mitigating denial-of-service attacks.

Protocol Restrictions:

Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512

Explicitly configure strong encryption algorithms and disable weak ciphers for enhanced security.

User Access Control

User and Group Restrictions:

AllowUsers alice bob@192.168.1.0/24
AllowGroups sshusers
DenyUsers guest nobody

Granular access controls restrict SSH access by username, group membership, or source IP address. Combine multiple restrictions for layered security.

Chroot Jail Configuration:

Match Group sftponly
    ChrootDirectory /home/%u
    ForceCommand internal-sftp
    PasswordAuthentication no
    AllowTcpForwarding no
    X11Forwarding no

Chroot jails isolate users within specific directories, preventing access to sensitive system areas. This configuration works well for SFTP-only users.

Firewall Configuration

Firewalld Setup

Install and Enable Firewalld:

sudo dnf install firewalld -y
sudo systemctl enable firewalld
sudo systemctl start firewalld

Firewalld provides dynamic firewall management with support for network zones and rich rules. It integrates seamlessly with Rocky Linux 10’s security model.

Check Firewall Status:

sudo systemctl status firewalld
sudo firewall-cmd --state

Verify firewalld is running and operational before configuring rules. The --state option provides quick status confirmation.

SSH Service Rules

Allow SSH Service:

sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload

The SSH service rule automatically allows traffic on port 22. The --permanent flag ensures rules persist across reboots.

Custom Port Configuration:

sudo firewall-cmd --remove-service=ssh --permanent
sudo firewall-cmd --add-port=2112/tcp --permanent
sudo firewall-cmd --reload

When using custom SSH ports, remove the default SSH service and add specific port rules.

IP Address Restrictions:

sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="203.0.113.55" service name="ssh" accept' --permanent

Rich rules provide granular control over connection sources. This rule allows SSH only from a specific IP address.

Subnet-Based Rules:

sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="2112" protocol="tcp" accept' --permanent

Subnet rules allow access from entire network ranges while maintaining security.

Verify Firewall Rules:

sudo firewall-cmd --list-all
sudo firewall-cmd --list-rich-rules

Regular rule verification ensures proper configuration and helps troubleshoot connectivity issues.

Testing SSH Connection

Local Connection Testing

Test SSH Service Locally:

ssh localhost
ssh username@127.0.0.1

Local testing verifies SSH daemon functionality without network complications. Successful local connections indicate proper service configuration.

Check SSH Process Details:

sudo ss -tlnp | grep :22
ps aux | grep sshd

Process monitoring confirms SSH daemon is listening correctly and consuming appropriate system resources.

Remote Connection Testing

Connect from Remote Client:

ssh username@server_ip
ssh username@server_ip -p 2112

Remote connections test complete SSH functionality including network connectivity, firewall rules, and authentication mechanisms.

Verbose Connection Testing:

ssh -v username@server_ip
ssh -vvv username@server_ip

Verbose output provides detailed connection information useful for troubleshooting authentication or network issues.

Windows Client Testing:
Windows users can test SSH connections using:

  • Built-in OpenSSH client (Windows 10/11)
  • PuTTY for graphical interface
  • Windows Subsystem for Linux (WSL)

Connection with Key Files:

ssh -i ~/.ssh/id_ed25519 username@server_ip

Specify particular key files when using multiple SSH keys or non-default key locations.

Troubleshooting Common Issues

Service Startup Problems

Configuration File Errors:

sudo sshd -t
sudo journalctl -u sshd

Configuration syntax errors prevent SSH daemon startup. The test command identifies specific line numbers with errors, while journal logs provide detailed error messages.

Port Binding Issues:

sudo netstat -tlnp | grep :22
sudo lsof -i :22

Port conflicts occur when multiple services attempt to bind the same port. These commands identify processes using specific ports.

Permission Problems:

sudo ls -la /etc/ssh/
sudo restorecon -R /etc/ssh/

Incorrect file permissions or SELinux contexts prevent SSH service startup. The restorecon command repairs SELinux labels.

Connection Issues

Firewall Troubleshooting:

sudo firewall-cmd --list-all
sudo iptables -L

Verify firewall rules allow SSH traffic. Compare configured rules with actual iptables entries to identify discrepancies.

Network Connectivity:

ping server_ip
telnet server_ip 22

Basic network tests isolate connectivity issues from SSH-specific problems. Telnet tests port accessibility without SSH protocol overhead.

Authentication Failures:

ssh -vvv username@server_ip
sudo tail -f /var/log/secure

Authentication problems often stem from key permissions, user account issues, or configuration mismatches. Verbose SSH output and security logs provide diagnostic information.

Performance Issues

DNS Resolution:

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no username@server_ip

Slow connections often result from DNS resolution delays. This command bypasses host key checking for testing purposes.

MTU Optimization:

ssh -o IPQoS=throughput username@server_ip

Network performance issues may require MTU adjustments or quality-of-service optimizations.

Best Practices and Recommendations

Security Best Practices

Regular Security Updates:

sudo dnf update openssh-server
sudo dnf update --security

Maintain current SSH versions to address security vulnerabilities. Subscribe to Rocky Linux security announcements for timely updates.

Key Management:
Implement regular SSH key rotation (annually or biannually). Use strong passphrases for private keys and store them securely. Consider using SSH agent forwarding cautiously in trusted environments.

Access Monitoring:

sudo lastlog
sudo last
who

Regular access monitoring identifies unusual login patterns or unauthorized access attempts. Implement automated monitoring solutions for production environments.

Intrusion Detection:
Install and configure fail2ban for automated intrusion prevention:

sudo dnf install fail2ban
sudo systemctl enable fail2ban

Configure fail2ban to monitor SSH logs and automatically block suspicious IP addresses.

Operational Best Practices

Configuration Management:
Use version control systems like Git to track SSH configuration changes. Document all modifications with timestamps and rationale.

Backup Strategies:

sudo tar -czf ssh-backup-$(date +%Y%m%d).tar.gz /etc/ssh/

Regular configuration backups enable quick recovery from misconfigurations or system failures.

Documentation:
Maintain comprehensive documentation covering:

  • User access procedures
  • Configuration change processes
  • Emergency access methods
  • Contact information for system administrators

Performance Optimization:

Compression yes
TCPKeepAlive yes
ServerAliveInterval 60

Optimize SSH performance for specific network conditions and usage patterns.

High Availability:
Consider implementing redundant SSH services using load balancers or failover mechanisms for critical systems. Configure monitoring and alerting for SSH service availability.

Congratulations! You have successfully installed SSH. Thanks for using this tutorial for installing the SSH server on your Rocky Linux 10 system. For additional help or useful information, we recommend you check the official SSH website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Back to top button