The Secure Shell (SSH) provides protected, encrypted communications with other systems. Because SSH is an entry point into the system, disable SSH if it isn't required. Optionally, you can edit the /etc/ssh/sshd_config
file to restrict its use.
Important:
After applying changes to the configuration file, you must restart the sshd
service for the changes to take effect.
Restrict Root Access
Set PermitRootLogin
to no
to prohibit root
from logging in with SSH. Then, elevate a user's privileges after logging in.
PermitRootLogin no
Restrict Specific Users
You can restrict remote access to certain users and groups by specifying the AllowUsers
, AllowGroups
, DenyUsers
, and DenyGroups
settings, for example:
DenyUsers carol danAllowUsers alice bob
For more information about configuring users and groups, see Oracle Linux 8: Setting Up System Users and Authentication or Oracle Linux 9: Setting Up System Users and Authentication.
Set a Timeout Period
The ClientAliveInterval
and ClientAliveCountMax
settings cause the SSH client to time out automatically after a period of inactivity, for example:
# Disconnect client after 300 seconds of inactivityClientAliveCountMax 0ClientAliveInterval 300
Disable Password Authentication
The PasswordAuthentication
and PubkeyAuthentication
settings define the method of authentication the SSH client implements for users: either with a password or with an SSH public key. By default, OpenSSH uses passwords for authentication. However, if you have configured key based authentication, which is more secure, you can optionally disable that functionality:
PasswordAuthentication noPubkeyAuthentication yes
For more information, see the sshd_config(5)
manual page.