SSH Management in Red Hat

Secure Shell Configuration, Usage and Automation

Amritanshu Prashar
June 16, 2025
Contents
1 Introduction to SSH 3

2 Installing and Verifying OpenSSH 3

3 Firewall Configuration for SSH 3

4 SSH Directory and Configuration Files 3

5 SSH Connection Basics 4

6 Executing Commands Remotely 4

7 Secure File Transfer 4

8 Passwordless SSH Authentication 4

9 Passwordless SSH with Passphrase 5

10 SSH Banner Configuration 5

10.1 Pre-Login Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
10.2 Post-Login Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

11 Advanced SSH Management 6

11.1 Disabling Root Login via SSH . . . . . . . . . . . . . . . . . . . . . . . . 6
11.2 Changing Default SSH Port . . . . . . . . . . . . . . . . . . . . . . . . . 7
11.3 Allowing/Denying Specific Users or Groups . . . . . . . . . . . . . . . . . 8
11.4 Blocking SSH Access from Specific IP Address . . . . . . . . . . . . . . . 9
11.5 Allowing/Denying Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2
1 Introduction to SSH
SSH (Secure Shell) is a protocol that allows secure communication between systems over
an unsecured network. It uses asymmetric encryption, meaning it involves two keys: a
private key and a public key. SSH typically uses the RSA algorithm and SHA-256 for
hashing.

2 Installing and Verifying OpenSSH

• OpenSSH is the package used to utilize SSH.

• Check if SSH is installed:

rpm -qa — grep ssh

• Check SSH service status:

systemctl status sshd

• Start and enable SSH:

systemctl start –now sshd

systemctl enable sshd

3 Firewall Configuration for SSH

firewall-cmd –list-all
firewall-cmd –permanent –add-service=ssh –zone=public
firewall-cmd –reload

4 SSH Directory and Configuration Files

• After installing OpenSSH, a directory /etc/ssh is created.

• View contents:

cd /etc/ssh
ls -l /etc/ssh

• Key files:

– ssh config – SSH client configuration.

– sshd config – SSH daemon configuration.

3
5 SSH Connection Basics
• Syntax:

ssh username@IPaddress

• Example:

ssh amrit@192.168.1.***

• Using hostname:

cat /etc/hosts
vim /etc/hosts
# Add: 192.168.1.*** client
ping client

6 Executing Commands Remotely

ssh root@client hostname

7 Secure File Transfer

• Create a file:

echo ”Hii, I am Amritanshu From Server side” ¿ [Link]

ls

• Copy file using SCP:

scp -r /root/server to [Link] root@client:/tmp

8 Passwordless SSH Authentication

1. On client side:

cd /.ssh
ls -al

2. Generate key:

ssh-keygen

4
 3. On server side:

mkdir /.ssh
chmod 700 /.ssh
scp -r /root/.ssh/idr [Link]@server : /root/.ssh
OR
ssh − copy − idroot@[Link]

4. Login:

ssh root@server

9 Passwordless SSH with Passphrase

1. On client:

ssh-keygen
# Enter passphrase
ssh-copy-id root@192.168.205.***

2. Login attempt (will prompt for passphrase):

ssh root@server

3. Cache the passphrase:

eval $(ssh-agent)
ssh-add /root/.ssh/id rsa
# Enter passphrase
ssh root@server

4. To clear the passphrase, logout and re-login.

10 SSH Banner Configuration

10.1 Pre-Login Banner
1. Create banner file:

cd /etc/ssh
vim [Link]
# Add message: Hii, I am Amritanshu client side user and I am providing
pre login banner. . .

5
 2. Edit SSH daemon config:

Command
vim /etc/ssh/sshdc onf ig
#Addormodif y : Banner/etc/ssh/[Link]

3. Restart SSH service:

Command
systemctl restart sshd

10.2 Post-Login Banner

1. Create MOTD file:

Command
vim /etc/motd
# Add message: Hii, I am Amritanshu client side user providing post login
Banner. . .

2. Restart SSH service:

Command
systemctl restart sshd

11 Advanced SSH Management

11.1 Disabling Root Login via SSH
Reason: Direct SSH root login does not generate individual user logs. Disabling root
login forces users to authenticate with non-root accounts first, improving accountability
and system security.

1. Navigate to SSH configuration directory:

Command
cd /etc/ssh

2. Open the SSH daemon configuration file:

Command
vim sshdc onf ig

3. Locate and modify the line:

6
 Set PermitRootLogin
PermitRootLogin no

4. Save and exit the file.

5. Restart SSH service:

Restart SSH
systemctl restart sshd

6. Attempt to SSH as root from a client system. It should show “Permission Denied”.

Alternate method:

• Navigate to: /etc/ssh/sshd config.d

• Locate the file: [Link]

• Set the directive:

Alternate Config File

PermitRootLogin no

11.2 Changing Default SSH Port

Reason: Changing the default port (22) reduces exposure to automated scanning and
brute-force attacks.

1. Edit SSH config file:

Edit Config

vim /etc/ssh/sshdc onf ig

2. Change:

Change Port
#Port 22
Port 5541

3. Check open ports:

List Listening Ports

lsof -nP -iTCP -sTCP:LISTEN

7
 4. Restart SSH daemon:

Restart SSH
systemctl restart sshd

5. Allow port in firewall:

Firewall Configuration

firewall-cmd –permanent –add-port=5541/tcp

firewall-cmd –reload

6. Connect via new port:

Connect
ssh -p 5541 user@server

7. Remove the port:

Remove Port
firewall-cmd –permanent –remove-port=5541/tcp
firewall-cmd –reload

11.3 Allowing/Denying Specific Users or Groups

Allow Specific Users
1. Edit SSH configuration:

Command
vim /etc/ssh/sshd config

2. Add:

Command
AllowUsers amrit gopal

3. Restart SSH:

Command
systemctl restart sshd

4. Test connections:

8
 Test SSH Access
ssh amrit@server (Allowed)
ssh gopal@server (Allowed)
ssh operator1@server (Denied)
ssh root@server (Denied)

Deny Specific Users

1. Add to config:

Command
DenyUsers operator1

2. Restart SSH:

Command
systemctl restart sshd

11.4 Blocking SSH Access from Specific IP Address

1. Edit configuration file:

Command
vim /etc/ssh/sshd config

2. Add:

Command
DenyUsers *@192.168.205.***

3. Restart service:

Command
systemctl restart sshd

11.5 Allowing/Denying Groups

Allow a Group

Command
AllowGroups linux

9
Deny a Group

Command
DenyGroups redhat

Note: After any change in sshd config, restart the SSH service using:

Command
systemctl restart sshd

End of Notes – Compiled by Amritanshu

10