Setting up an OpenSSH Server with SELinux on RHEL 7

We are going to configure a key-based SSH authentication, and allow sshd to bind to a non-default SSH port. 

The Lab

We have a couple of RHEL 7.0 servers, srv1 and srv2. SELinux is set to enforcing mode.

Configure Key-based SSH Authentication

On the server srv1, create a new user sandy:

# useradd -m -s /bin/bash sandy    
# passwd sandy       
# su - sandy

As the user sandy, create a new SSH key and copy it to the server srv2:

$ ssh-keygen -b 2048 -t rsa
$ ssh-copy-id -i ~/.ssh/ [email protected]

Public key authentication should be available by default, we can test:

$ ssh [email protected]

Configure Alternative SSH Ports

We are going to add TCP port 2200 to the SSH server.

On the server srv2, open the file /etc/ssh/sshd_config for editing, and add the following lines:

Port 22
Port 2200

Configure firewall to allow access on TCP port 2200:

# firewall-cmd --permanent --add-port=2200/tcp
# firewall-cmd --reload

Configure SELinux to allow sshd to listen on TCP port 2200:

# semanage port -a -t ssh_port_t 2200 -p tcp

Restart sshd service:

# systemctl restart sshd

Test form the server srv1:

$ ssh [email protected] -p2200

Tweak SSH Server Configuration

We want to allow user sandy to login, but deny user dev1 and group devops:

AllowUsers sandy
DenyUsers dev
DenyGroups devops

Note that the allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups and finally AllowGroups.

Tell SSH server to not look up the remote hostname. This may result in a significant perforance boost if client connections are slow.

UseDNS no

Set the maximum number of sessions that can be opened from one IP address simultaneously to 3:

MaxSessions 3

Send a packet to the client if no activity has been detected for 300 seconds, and do so 4 times:

ClientAliveInterval 300
ClientAliveCountMax 4

Unresponsive clients will be disconnected after approximately 20 minutes. These options apply to protocol version 2 only.

Kerberos based authentication should be disabled:

GSSAPIAuthentication no

Close TCP socket after 3 invalid login attempts:

MaxAuthTries 3

Permit passwordless root login:

PermitRootLogin without-password

Ensure that password and key-based authentications are enabled, and that empty passwords are not allowed:

PasswordAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no

Restart the service:

# systemctl restart sshd

Check the man page of sshd_config for more info.

16 thoughts on “Setting up an OpenSSH Server with SELinux on RHEL 7

  1. I’m practicing using you sample Exam for RHCE7. Your instruction is easy to follow. Thanks
    Under SSH configuration – “Client ipa.rhce.local must not have access to SSH at all” –
    To accomplish this, we just add an entry in /etc/hosts.deny “sshd: ipa.rhce.local ” or “sshd: ? Please advise.

  2. sshd: ipa.rhce.local to hosts.deny works well.
    With HTTP service it does not and I use firewalld rich-rule

  3. I am using centos 7.0 .

    I am facing this issue with sshd. sshd stops works out of nothing .its works with the default config.

    # systemctl status sshd
    sshd.service – OpenSSH server daemon
    Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
    Active: active (running) since Wed 2017-11-01 09:25:43 EDT; 25min ago
    Process: 1991 ExecStartPre=/usr/sbin/sshd-keygen (code=exited, status=0/SUCCESS)
    Main PID: 2196 (sshd)
    CGroup: /system.slice/sshd.service
    └─2196 /usr/sbin/sshd -D

    Nov 01 09:25:43 ipa.example.local systemd[1]: Started OpenSSH server daemon.
    Nov 01 09:25:47 ipa.example.local sshd[2196]: key_parse_private_pem: RSA_blinding_on failed
    Nov 01 09:25:48 ipa.example.local sshd[2196]: Could not load host key: /etc/ssh/ssh_host_rsa_key
    Nov 01 09:25:51 ipa.example.local sshd[2196]: Server listening on port 22.
    Nov 01 09:25:51 ipa.example.local sshd[2196]: Server listening on :: port 22.
    Nov 01 09:51:07 ipa.example.local sshd[6371]: error: key_parse_private_pem: RSA_blinding_on failed
    Nov 01 09:51:07 ipa.example.local sshd[6371]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key

    I am using cloned copies in vmware.

  4. Thanks Tomas,

    I have searched over net for the solution . and then i have posted here.
    none of the solution did work for me .
    1) removed ssh and installed it again
    2) removed keys . and tried to generate again
    3) it gives selinux errors, but it does not work here.
    Selinux error:
    You can generate a local policy module to allow this access.
    allow this access for now by executing:
    # grep sshd-keygen /var/log/audit/audit.log | audit2allow -M mypol
    # semodule -i mypol.pp

    Please direct me to correct solution.

  5. Hi,

    How can I allow ssh access for IPA users? When I try to connect ssh alice@ I get permission denied. User alice is IPA user. But if I use local user I have access.

  6. Hi,

    I am trying to setting up ssh session time out on rhel8.7.

    ClientAliveInterval 15
    ClientAliveCountMax 3

    This does not seem to work.

    Can you verify if these settings works the same in rhel8.6 and rhel8.7 onwards

Leave a Reply

Your email address will not be published. Required fields are marked *