Skip to content

SSH Configuration on a Server

Server-Side Setup

1. Open the SSHD configuration file and enable the required authentication options

$ vim /etc/ssh/sshd_config

Uncomment the relevant options. The resulting configuration should look like this:

Protocol 2
PermitRootLogin yes

RSAAuthentication yes 
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Port: specifies port 22.

Protocol: specifies SSH protocol version 2.

PermitRootLogin: allows the root account to log in.

RSAAuthentication: enables RSA authentication.

PubkeyAuthentication: enables public key authentication.

AuthorizedKeysFile: sets the location of the user's public key file.

2. Save the file and restart SSHD

$ service sshd restart

Because AuthorizedKeysFile is set to .ssh/authorized_keys, the file is stored under the target user's home directory. If the target account is git, the path should be /home/git/.ssh/authorized_keys.

$ mkdir /home/git/.ssh

3. Change the owner of the directory to git

$ chown -R git:root /home/git/.ssh

Client-Side Setup

1. Create an SSH key pair on the client

Create an SSH key pair and specify RSA as the authentication algorithm. DSA is the older default algorithm on some systems.

$ ssh-keygen -t rsa

This creates a public key and a private key. If you do not change the path and do not set a passphrase, the files are usually saved under the current user's .ssh directory as id_rsa and id_rsa.pub.

2. Import the client public key to the server

Replace IP with the server IP address:

$ ssh git@IP 'cat >> .ssh/authorized_keys' < ~/.ssh/id_rsa.pub

3. Verify the key file on the server and adjust permissions

After entering the git user's password and importing the key successfully, return to the server, confirm that authorized_keys exists, and adjust permissions:

$ chmod 700 /home/git/.ssh
$ chmod 600 /home/git/.ssh/authorized_keys

4. Clone the repository again from the client

Replace IP with the server IP address and update the repository path as needed:

$ git clone git@IP:/opt/code/test.git

5. Restrict the git user from logging in through an interactive SSH shell

Edit /etc/passwd:

$ vim /etc/passwd

Find the record for the git user and change the default /bin/bash shell to /bin/git-shell. The result should look like this:

git:x:1001:1001::/home/git:/usr/bin/git-shell

6. Change the SSH port

The default SSH port can be exposed to brute-force attempts. To improve security, consider changing it.

(1). Edit /etc/ssh/sshd_config

Following the first step, change the value after Port to XXX. Make sure it does not conflict with other services.

(2). Open the firewall port

The firewall blocks ports by default, so open the new SSH port:

firewall-cmd --zone=public --add-port=XXX/tcp --permanent

(3). Configure SELinux

On SELinux-enabled systems, SSHD may fail to start if SELinux is not configured for the new port.

semanage port -a -t ssh_port_t -p tcp XXX

  • XXX refers to the new port number in the examples above.

REF

[1]. https://zhuanlan.zhihu.com/p/40371444

[2]. https://liqimore.com/2020/change-default-ssh-port-for-centos/

[3]. Linux-Firewall-初探

[4]. Yubikey-PIV-as-SSH-Key

[5]. Using-FIDO2-as-SSH-Authentication