{"id":99185,"date":"2023-10-06T11:00:00","date_gmt":"2023-10-06T15:00:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=99185"},"modified":"2025-02-18T13:16:53","modified_gmt":"2025-02-18T18:16:53","slug":"how-to-configure-secure-ssh-server-rocky-linux","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux","title":{"rendered":"How to Configure a Secure SSH Server on Rocky Linux"},"content":{"rendered":"\n<p><a class=\"wp-block-cgb-button button\" href=\"#step1\">Jump to Tutorial<\/a><\/p>\n\n\n\n<p>In the world of modern computing and networking, accessing servers and systems is of paramount importance. One technology that plays a very important role in enabling secure remote access is SSH (Secure Shell).&nbsp;<\/p>\n\n\n\n<p>SSH is a cryptographic network protocol that allows users to securely communicate and access remote systems over an unsecured network. It provides a far more secure alternative to traditional remote access methods like Telnet and FTP, which transmit data in plaintext and are vulnerable to eavesdropping and unauthorized access.<\/p>\n\n\n\n<p>SSH offers several significant advantages over traditional remote access methods:<\/p>\n\n\n\n<ul>\n<li><strong>Security<\/strong>: The primary advantage of SSH is its strong security model. By using encryption and cryptographic authentication, SSH protects sensitive data from interception and unauthorized access.<\/li>\n<\/ul>\n\n\n\n<ul>\n<li><strong>Authentication flexibility<\/strong>: SSH supports various authentication methods, allowing users to choose the most secure method for their needs. Public key authentication, in particular, is highly recommended as a good security practice.<\/li>\n<\/ul>\n\n\n\n<ul>\n<li><strong>Data integrity<\/strong>: SSH works so that the data transmitted between the client and server remains intact and unaltered during transit. Any tampering or corruption of data would be detected.<\/li>\n<\/ul>\n\n\n\n<ul>\n<li><strong>Cross-platform support<\/strong>: SSH is platform-independent and can be used to connect to systems running different operating systems, including Linux, macOS, Windows, and more.<\/li>\n<\/ul>\n\n\n\n<ul>\n<li><strong>Port forwarding<\/strong>: SSH allows port forwarding, which enables users to securely access services on remote systems as if they were running on their local machine.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"heading1\">How SSH works<\/h2>\n\n\n\n<p>SSH uses public-key cryptography to establish a secure connection between a client and a server. The process involves the following steps:<\/p>\n\n\n\n<ol>\n<li><strong>Connection initialization<\/strong>: The client establishes a connection with the SSH server. The server listens on a specified port (default port 22) for incoming connection requests.<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\">\n<li><strong>Key exchange<\/strong>: During the initial connection, the client and server perform a key exchange. This process involves negotiating the encryption algorithms, integrity algorithms, and other cryptographic parameters that will be used for securing the communication.<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\">\n<li><strong>User authentication<\/strong>: Once the key exchange is successful, the client must prove its identity to the server. SSH supports various authentication methods, including password-based authentication, public key authentication, and host-based authentication.<\/li>\n<\/ol>\n\n\n\n<ul>\n<li><strong>Password authentication<\/strong>: The client sends its username and password to the server, which then verifies the credentials. However, this method is less secure than public key authentication and is often discouraged.<\/li>\n\n\n\n<li><strong>Public key authentication<\/strong>: This method involves generating a key pair on the client side \u2014 a public key and a private key. The public key is uploaded to the server, while the client retains the private key. During authentication, the client proves its identity by signing a challenge from the server using its private key. The server verifies the signature with the corresponding public key stored on the server.<\/li>\n\n\n\n<li><strong>Host-based authentication<\/strong>: In this method, the client&#8217;s identity is based on the hostname of the client machine. While this method is still used in some cases, it is less common due to its inherent security limitations.<\/li>\n<\/ul>\n\n\n\n<ol start=\"4\">\n<li><strong>Session establishment<\/strong>: After successful authentication, a secure channel (SSH session) is established between the client and server. From that moment all the communication between the two parties is encrypted using the agreed-upon encryption algorithms.<\/li>\n<\/ol>\n\n\n\n<ol start=\"5\">\n<li><strong>Remote access<\/strong>: With the SSH session in place, the client can now securely execute commands, transfer files, and perform any other remote operations on the server.<\/li>\n<\/ol>\n\n\n\n<p>Configuring a secure SSH server on Rocky Linux is essential to protect your system from unauthorized access and potential security threats. The following tutorial will guide you through the steps to set up a secure SSH server on Rocky Linux.<\/p>\n\n\n\n<figure class=\"image is-16by9\">\n<iframe class=\"has-ratio\" width=\"300\" height=\"315\" src=\"https:\/\/www.youtube.com\/embed\/QA0jJ59XwF4?rel=0\" frameborder=\"0\" allow=\"accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen=\"\"><\/iframe>\n<\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step1\">Step 1: Log in to your server via SSH<\/h2>\n\n\n\n<p>OpenSSH server is installed on your Rocky Linux server even if you go with the minimal install, so you can log in via SSH to your server.<\/p>\n\n\n\n<p>To do so, you need to have a terminal or SSH client installed on your local machine. If you&#8217;re using Linux or macOS, you can use the built-in terminal application. As a Windows user, you will most likely use the PuTTy SSH client.<\/p>\n\n\n\n<p>Open your terminal and enter the following command to replace username and server_ip_address with your own.<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>ssh username@server_ip_address<\/p>\n<\/div><\/div>\n\n\n\n<p>If you are logging in for the first time to your Rocky Linux server, you will see a security warning about the authenticity of the host.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"50\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/1.png\" alt=\"tutorial code\" class=\"wp-image-99190\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/1.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/1-300x29.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>You can verify authenticity by typing <em>yes <\/em>in the terminal.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step2\">Step 2: Change the default port<\/h2>\n\n\n\n<p>In order to change any configuration for your SSH server you need to edit the related config file. But before that, it is always a good idea to create a backup of your configuration file if it gets corrupted for some reason.<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo cp \/etc\/ssh\/sshd_config \/etc\/ssh\/sshd_config_backup<\/p>\n<\/div><\/div>\n\n\n\n<p>Next, we will edit the configuration file.<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo vi \/etc\/ssh\/sshd_config<\/p>\n<\/div><\/div>\n\n\n\n<p>By default, SSH operates on port 22, which is well known and often targeted by attackers, and nowadays these attacks are highly automated. Changing the SSH port adds a layer of obscurity and can reduce the number of automated attacks. Choose any unused port, preferably a number between 1024 and 65535.<\/p>\n\n\n\n<p>In our case we will use port 2222, so you can scroll down and find the Port 22 line:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"80\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/2.png\" alt=\"tutorial code\" class=\"wp-image-99191\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/2.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/2-300x47.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>Press <strong>i<\/strong> for edit, uncomment that line, and instead of 22, replace with 2222.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"78\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/3.png\" alt=\"tutorial code\" class=\"wp-image-99192\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/3.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/3-300x46.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>Press Escape and type :wq for writing the changes and exiting the config file.<\/p>\n\n\n\n<p>Now, as you can see just above our setting for the port number, there is information provided if we want to change the SSH port number to any other port, we would need to update our SELinux configuration.<\/p>\n\n\n\n<p>SELinux is originally from Red Hat and it is enabled by default on your Rocky Linux. The primary purpose of SELinux is to restrict the actions that processes and users can perform on a Linux system, and minimize the potential damage that could result from security breaches or unauthorized access. It enforces the principle of least privilege, which means that processes and users are only granted the minimum necessary permissions to perform their intended tasks.<\/p>\n\n\n\n<p>Often, the <strong>semanage<\/strong> command is not found on Rocky Linux so we can check dependencies that are needed by running:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>yum provides \/usr\/sbin\/semanage<\/p>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"99\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/4.png\" alt=\"tutorial code\" class=\"wp-image-99193\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/4.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/4-300x58.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>From here you can see that we need to install additional Python libraries, and we can do so by running the following command:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo yum install policycoreutils-python-utils<\/p>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"190\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/5.png\" alt=\"tutorial code\" class=\"wp-image-99194\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/5.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/5-300x111.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>Type y, and hit Enter to install the package.<\/p>\n\n\n\n<p>After that action, you can use this command to tell SELinux that the SSH service is now running on the new port 2222:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo semanage port -a -t ssh_port_t -p tcp 2222<\/p>\n<\/div><\/div>\n\n\n\n<p>Now, we need to take care of our firewall and add the port there as well, otherwise, we will get a connection refused error.<\/p>\n\n\n\n<p>Rocky Linux uses firewalls, so we can add the rule:&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo firewall-cmd &#8211;zone=public &#8211;add-port=2222\/tcp &#8211;permanent<\/p>\n<\/div><\/div>\n\n\n\n<p>Next, we should reload the firewall so it starts using the new rule we have added:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>firewall-cmd &#8211;reload<\/p>\n<\/div><\/div>\n\n\n\n<p>Finally, we can restart our SSH server so we can apply the new configuration and start logging via SSH with port 2222.<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo systemctl restart sshd<\/p>\n<\/div><\/div>\n\n\n\n<p>Now you can try and log in to your Rocky Linux server by adding the -p option and adding our new port number:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>ssh -p 2222 username@server_ip_address<\/p>\n<\/div><\/div>\n\n\n\n<p>Optionally, consider installing and configuring knockd to implement port knocking. This will make it more difficult for attackers to identify SSH ports.<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>$ sudo apt-get install knockd<\/p>\n<\/div><\/div>\n\n\n\n<p>Next, we will edit the configuration file.<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>$ sudo vi \/ \/etc\/knockd.conf<\/p>\n<\/div><\/div>\n\n\n\n<p>More details on this port knocking step are <a href=\"https:\/\/wiki.archlinux.org\/title\/Port_knocking\" target=\"_blank\" rel=\"noreferrer noopener\">available here<\/a>. You may also want to consider leveraging iptable\u2019s ability to whitelist IPs or use rate-limit connections to mitigate DDoS threats.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step3\">Step 3: Disable root login and limit user authentication<\/h2>\n\n\n\n<p>This step involves disabling root login via SSH, which is an important security measure to protect your system from unauthorized access. Instead of allowing direct root login, users should log in with a regular user account and then use sudo to perform administrative tasks. Also, we can define users that are only able to log in to the system.<\/p>\n\n\n\n<p>We need to change our configuration file again:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo vi \/etc\/ssh\/sshd_config<\/p>\n<\/div><\/div>\n\n\n\n<p>We need to find the line where the <strong>PermitRootLogin<\/strong> is and change it to no:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"157\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/6.png\" alt=\"tutorial code\" class=\"wp-image-99195\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/6.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/6-300x92.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>Next, we would like to allow only certain users to log in to our server via SSH:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"478\" height=\"137\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/7.png\" alt=\"tutorial code\" class=\"wp-image-99196\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/7.png 478w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/7-300x86.png 300w\" sizes=\"(max-width: 478px) 100vw, 478px\" \/><\/figure>\n\n\n\n<p>Make sure that you already have real users that will be allowed with appropriate permissions so you don&#8217;t get locked out.<\/p>\n\n\n\n<p>Save the configuration file and restart the SSH service:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo systemctl restart sshd<\/p>\n<\/div><\/div>\n\n\n\n<p>Now, you should be able to log in with your user only. Here is an example where we try to log in with our second user <strong>jumpcloud2<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"44\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/8.png\" alt=\"tutorial code\" class=\"wp-image-99197\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/8.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/8-300x26.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>We can see that permission is denied even when we enter the correct password.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step4\">Step 4: Set up SSH keys and disable password login<\/h2>\n\n\n\n<p>In order to enhance the security further we can disable login with a password and use the SSH key.<\/p>\n\n\n\n<p>This method eliminates the risk of brute force attacks on passwords and ensures that only users with the corresponding private keys can access the system. Let&#8217;s go through the steps to achieve this.<\/p>\n\n\n\n<p>If you don&#8217;t have an SSH key pair on your local machine, you need to generate one.&nbsp;<\/p>\n\n\n\n<p>Open a terminal on your local machine and use the following command:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>ssh-keygen -t rsa<\/p>\n<\/div><\/div>\n\n\n\n<p>This command will prompt you to choose a location to save the keys (usually ~\/.ssh\/id_rsa and ~\/.ssh\/id_rsa.pub) and set an optional passphrase for added security.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"166\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/9.png\" alt=\"tutorial code\" class=\"wp-image-99198\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/9.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/9-300x97.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>Once you generate your SSH key pair, you need to copy the public key (jumpcloud_rockylinux.pub) to the remote server. You can use the ssh-copy-id command to do this.&nbsp;<\/p>\n\n\n\n<p>In our case we will run the following command:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>ssh-copy-id -p 2222 -i ~\/.ssh\/jumpcloud_rockylinux.pub jumpcloud@194.195.240.58<\/p>\n<\/div><\/div>\n\n\n\n<p>You will get a similar output:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"91\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/10.png\" alt=\"tutorial code\" class=\"wp-image-99199\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/10.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/10-300x53.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>Also, this command will prompt you to enter your user password on the remote server. Once you provide the password, the public key will be copied to the <strong>~\/.ssh\/authorized_keys<\/strong> file on the server.<\/p>\n\n\n\n<p>Before logging into the server, we would need to change the permissions to our key file so they don&#8217;t have 644 by default, and we will assign them permissions with the value 400.<\/p>\n\n\n\n<p>We can do so by running the following command in our local terminal:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>chmod 400 ~\/.ssh\/jumpcloud_rockylinux<\/p>\n<\/div><\/div>\n\n\n\n<p>Next, we will connect with our server:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>ssh -i ~\/.ssh\/jumpcloud_rockylinux -p 2222 jumpcloud@194.195.240.58<\/p>\n<\/div><\/div>\n\n\n\n<p>Let&#8217;s break down the commands:<\/p>\n\n\n\n<ul>\n<li>The <strong>-i<\/strong> option will load and use the private key that we&#8217;ve generated and give the exact path where it is stored.<\/li>\n\n\n\n<li>The <strong>-p<\/strong> option defines that we are trying to connect to our server via non-default 2222 port. If we don&#8217;t use this option we will get a connection refused error.<\/li>\n\n\n\n<li>The last part, jumpcloud@194.195.240.58, defines the username and IP address of our server.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>You should be able to log in without entering a password because the server is now configured to use SSH keys for authentication.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"30\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/11.png\" alt=\"tutorial code\" class=\"wp-image-99200\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/11.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/11-300x18.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>In order for us to disable password logging and use only SSH keys we need to edit our configuration file again:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo vi \/etc\/ssh\/sshd_config<\/p>\n<\/div><\/div>\n\n\n\n<p>Uncomment the part related to the PubkeyAuthentication and set it to yes:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"94\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/12.png\" alt=\"tutorial code\" class=\"wp-image-99201\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/12.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/12-300x55.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>Next, change the PasswordAuthentication to <strong>no<\/strong>,<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"95\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/13.png\" alt=\"tutorial code\" class=\"wp-image-99202\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/13.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/13-300x56.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>and then save the file and exit.<\/p>\n\n\n\n<p>Now, we need to restart the SSH service so it loads the new configuration changes.<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>sudo systemctl restart sshd<\/p>\n<\/div><\/div>\n\n\n\n<p>You should be able to log in without entering a password, as key-based authentication is now enforced. If everything is working correctly, you have successfully configured SSH to only allow login with SSH keys, significantly enhancing the security of your remote server.<\/p>\n\n\n\n<p>If we try to log in to our server without supplying the SSH key, and run the following command:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>ssh -p 2222 jumpcloud@194.195.240.58&nbsp;<\/p>\n<\/div><\/div>\n\n\n\n<p>We will get the permission denied output:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"31\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/10\/14.png\" alt=\"tutorial code\" class=\"wp-image-99203\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/14.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/14-300x18.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>So, the correct way of logging in to our server from now on is to use the supplied key:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>ssh -i ~\/.ssh\/jumpcloud_rockylinux -p 2222 jumpcloud@194.195.240.58<\/p>\n<\/div><\/div>\n\n\n\n<p>After this command we have logged in successfully to our server by using the SSH key.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step5\">Step 5: Enhance security with multi-factor authentication<\/h2>\n\n\n\n<p>探花大神 admins can add multi-factor authentication (MFA) for additional security. If you are not using 探花大神 yet to manage Windows, Mac, and Linux systems across your fleet, <a href=\"https:\/\/console.jumpcloud.com\/signup\" target=\"_blank\" rel=\"noreferrer noopener\">get started today for free<\/a>.<\/p>\n\n\n\n<p>To enable MFA for SSH on a Linux system:<\/p>\n\n\n\n<ol>\n<li>Log in to the 探花大神 Admin Portal: <a href=\"https:\/\/console.jumpcloud.com\/login\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/console.jumpcloud.com\/login<\/a>.<\/li>\n\n\n\n<li>Go to DEVICE MANAGEMENT &gt; Devices.<\/li>\n\n\n\n<li>Select a Linux device.<\/li>\n\n\n\n<li>If MFA Login is disabled, deselect Allow SSH Password Login or Enable Public Key Authentication. If both options are selected, MFA can\u2019t be enabled.<\/li>\n\n\n\n<li>Click MFA Login Disabled and choose Enable MFA Login.<\/li>\n\n\n\n<li>Click ok to confirm.<\/li>\n\n\n\n<li>Click save device.<\/li>\n<\/ol>\n\n\n\n<p>To understand more about this process, check out the following support documentation:<\/p>\n\n\n\n<ul>\n<li><a href=\"https:\/\/jumpcloud.com\/support\/enable-totp-mfa-for-devices#linux\" target=\"_blank\" rel=\"noreferrer noopener\">Enable TOTP MFA for Linux<\/a>&nbsp;<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Learn how to configure a secure SSH server on Rocky Linux in this step-by-step tutorial.<\/p>\n","protected":false},"author":150,"featured_media":99196,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[2781],"tags":[],"collection":[],"platform":[],"funnel_stage":[3017],"coauthors":[2535],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.9 (Yoast SEO v22.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Configuring a Secure SSH Server on Rocky Linux - 探花大神<\/title>\n<meta name=\"description\" content=\"Learn how to configure a secure SSH server on Rocky Linux in this step-by-step tutorial.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Configure a Secure SSH Server on Rocky Linux\" \/>\n<meta property=\"og:description\" content=\"Learn how to configure a secure SSH server on Rocky Linux in this step-by-step tutorial.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux\" \/>\n<meta property=\"og:site_name\" content=\"探花大神\" \/>\n<meta property=\"article:published_time\" content=\"2023-10-06T15:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-02-18T18:16:53+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/7.png\" \/>\n\t<meta property=\"og:image:width\" content=\"478\" \/>\n\t<meta property=\"og:image:height\" content=\"137\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"David Worthington\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"David Worthington\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux#article\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux\"},\"author\":{\"name\":\"David Worthington\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/185ca12034835ee50ee17b100abdfb2e\"},\"headline\":\"How to Configure a Secure SSH Server on Rocky Linux\",\"datePublished\":\"2023-10-06T15:00:00+00:00\",\"dateModified\":\"2025-02-18T18:16:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux\"},\"wordCount\":2156,\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/7.png\",\"articleSection\":[\"How-To\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux\",\"url\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux\",\"name\":\"Configuring a Secure SSH Server on Rocky Linux - 探花大神\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/7.png\",\"datePublished\":\"2023-10-06T15:00:00+00:00\",\"dateModified\":\"2025-02-18T18:16:53+00:00\",\"description\":\"Learn how to configure a secure SSH server on Rocky Linux in this step-by-step tutorial.\",\"breadcrumb\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux#primaryimage\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/7.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/7.png\",\"width\":478,\"height\":137,\"caption\":\"tutorial code\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jumpcloud.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to Configure a Secure SSH Server on Rocky Linux\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jumpcloud.com\/#website\",\"url\":\"https:\/\/jumpcloud.com\/\",\"name\":\"探花大神\",\"description\":\"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.\",\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jumpcloud.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jumpcloud.com\/#organization\",\"name\":\"探花大神\",\"url\":\"https:\/\/jumpcloud.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"width\":598,\"height\":101,\"caption\":\"探花大神\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/185ca12034835ee50ee17b100abdfb2e\",\"name\":\"David Worthington\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/image\/d9acf1381c6e5b50c0f50d47b7b05411\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/a6dde901b469c9005c22973e42038d62?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/a6dde901b469c9005c22973e42038d62?s=96&d=mm&r=g\",\"caption\":\"David Worthington\"},\"description\":\"I'm the 探花大神 Champion for Product, Security. 探花大神 and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.\",\"sameAs\":[\"https:\/\/jumpcloud.com\/blog\",\"david.worthington@jumpcloud.com\"]}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Configuring a Secure SSH Server on Rocky Linux - 探花大神","description":"Learn how to configure a secure SSH server on Rocky Linux in this step-by-step tutorial.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux","og_locale":"en_US","og_type":"article","og_title":"How to Configure a Secure SSH Server on Rocky Linux","og_description":"Learn how to configure a secure SSH server on Rocky Linux in this step-by-step tutorial.","og_url":"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux","og_site_name":"探花大神","article_published_time":"2023-10-06T15:00:00+00:00","article_modified_time":"2025-02-18T18:16:53+00:00","og_image":[{"width":478,"height":137,"url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/7.png","type":"image\/png"}],"author":"David Worthington","twitter_card":"summary_large_image","twitter_misc":{"Written by":"David Worthington","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux#article","isPartOf":{"@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux"},"author":{"name":"David Worthington","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/185ca12034835ee50ee17b100abdfb2e"},"headline":"How to Configure a Secure SSH Server on Rocky Linux","datePublished":"2023-10-06T15:00:00+00:00","dateModified":"2025-02-18T18:16:53+00:00","mainEntityOfPage":{"@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux"},"wordCount":2156,"publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"image":{"@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/7.png","articleSection":["How-To"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux","url":"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux","name":"Configuring a Secure SSH Server on Rocky Linux - 探花大神","isPartOf":{"@id":"https:\/\/jumpcloud.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux#primaryimage"},"image":{"@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/7.png","datePublished":"2023-10-06T15:00:00+00:00","dateModified":"2025-02-18T18:16:53+00:00","description":"Learn how to configure a secure SSH server on Rocky Linux in this step-by-step tutorial.","breadcrumb":{"@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux#primaryimage","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/7.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/10\/7.png","width":478,"height":137,"caption":"tutorial code"},{"@type":"BreadcrumbList","@id":"https:\/\/jumpcloud.com\/blog\/how-to-configure-secure-ssh-server-rocky-linux#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jumpcloud.com\/"},{"@type":"ListItem","position":2,"name":"How to Configure a Secure SSH Server on Rocky Linux"}]},{"@type":"WebSite","@id":"https:\/\/jumpcloud.com\/#website","url":"https:\/\/jumpcloud.com\/","name":"探花大神","description":"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.","publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jumpcloud.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jumpcloud.com\/#organization","name":"探花大神","url":"https:\/\/jumpcloud.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","width":598,"height":101,"caption":"探花大神"},"image":{"@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/185ca12034835ee50ee17b100abdfb2e","name":"David Worthington","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/image\/d9acf1381c6e5b50c0f50d47b7b05411","url":"https:\/\/secure.gravatar.com\/avatar\/a6dde901b469c9005c22973e42038d62?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a6dde901b469c9005c22973e42038d62?s=96&d=mm&r=g","caption":"David Worthington"},"description":"I'm the 探花大神 Champion for Product, Security. 探花大神 and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.","sameAs":["https:\/\/jumpcloud.com\/blog","david.worthington@jumpcloud.com"]}]}},"_links":{"self":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/99185"}],"collection":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/users\/150"}],"replies":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/comments?post=99185"}],"version-history":[{"count":3,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/99185\/revisions"}],"predecessor-version":[{"id":121360,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/99185\/revisions\/121360"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media\/99196"}],"wp:attachment":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media?parent=99185"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/categories?post=99185"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/tags?post=99185"},{"taxonomy":"collection","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/collection?post=99185"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/platform?post=99185"},{"taxonomy":"funnel_stage","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/funnel_stage?post=99185"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/coauthors?post=99185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}