Setting up an OpenSSH Server with SELinux on RHEL 7

We are going to configure a key-based SSH authentication, and allow sshd to bind to a non-default SSH port. 

The Lab

We have a couple of RHEL 7.0 servers, srv1 and srv2. SELinux is set to enforcing mode.

Configure Key-based SSH Authentication

On the server srv1, create a new user sandy:

# useradd -m -s /bin/bash sandy    
# passwd sandy       
# su - sandy

As the user sandy, create a new SSH key and copy it to the server srv2:

$ ssh-keygen -b 2048 -t rsa
$ ssh-copy-id -i ~/.ssh/ [email protected]

Public key authentication should be available by default, we can test:

$ ssh [email protected]

Configure Alternative SSH Ports

We are going to add TCP port 2200 to the SSH server.

On the server srv2, open the file /etc/ssh/sshd_config for editing, and add the following lines:

Port 22
Port 2200

Configure firewall to allow access on TCP port 2200:

# firewall-cmd --permanent --add-port=2200/tcp
# firewall-cmd --reload

Configure SELinux to allow sshd to listen on TCP port 2200:

# semanage port -a -t ssh_port_t 2200 -p tcp

Restart sshd service:

# systemctl restart sshd

Test form the server srv1:

$ ssh [email protected] -p2200

Tweak SSH Server Configuration

We want to allow user sandy to login, but deny user dev1 and group devops:

AllowUsers sandy
DenyUsers dev
DenyGroups devops

Note that the allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups and finally AllowGroups.

Tell SSH server to not look up the remote hostname. This may result in a significant perforance boost if client connections are slow.

UseDNS no

Set the maximum number of sessions that can be opened from one IP address simultaneously to 3:

MaxSessions 3

Send a packet to the client if no activity has been detected for 300 seconds, and do so 4 times:

ClientAliveInterval 300
ClientAliveCountMax 4

Unresponsive clients will be disconnected after approximately 20 minutes. These options apply to protocol version 2 only.

Kerberos based authentication should be disabled:

GSSAPIAuthentication no

Close TCP socket after 3 invalid login attempts:

MaxAuthTries 3

Permit passwordless root login:

PermitRootLogin without-password

Ensure that password and key-based authentications are enabled, and that empty passwords are not allowed:

PasswordAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no

Restart the service:

# systemctl restart sshd

Check the man page of sshd_config for more info.

8 thoughts on “Setting up an OpenSSH Server with SELinux on RHEL 7

  1. I’m practicing using you sample Exam for RHCE7. Your instruction is easy to follow. Thanks
    Under SSH configuration – “Client ipa.rhce.local must not have access to SSH at all” –
    To accomplish this, we just add an entry in /etc/hosts.deny “sshd: ipa.rhce.local ” or “sshd: ? Please advise.

  2. sshd: ipa.rhce.local to hosts.deny works well.
    With HTTP service it does not and I use firewalld rich-rule

Leave a Reply

Your email address will not be published. Required fields are marked *