Fedora 40 : SSH Server

Introduction

This guide covers the installation and configuration of an SSH Server on Fedora 40 using the 5W1H approach. We will explore the What, Who, Where, When, Why, How, Consequences, and Conclusion of setting up an SSH server.

Overview Password Authentication SSH File Transfer (Fedora) SSH File Transfer (Windows) SSH Key-Pair Authentication SFTP only + Chroot Use SSH-Agent

Navbar

• Overview
• Password Authentication
• SSH File Transfer (Fedora)
• SSH File Transfer (Windows)
• SSH Key-Pair Authentication
• SFTP only + Chroot
• Use SSH-Agent

Overview

What

SSH (Secure Shell) is a protocol for securely accessing and managing remote servers over a network. Setting up an SSH server on Fedora 40 allows secure remote connections to your system.

Who

This guide is intended for system administrators and IT professionals who need to manage remote servers and ensure secure connections using SSH.

Where

The setup process can be carried out on any server running Fedora 40 that requires secure remote access capabilities.

When

Setting up an SSH server should be done during a planned maintenance window to avoid potential disruptions to network services.

Why

Implementing an SSH server on your network offers several advantages:

Pros	Cons
Secure remote access to your server	Initial setup complexity
Encrypted communication	Requires configuration and management
Flexibility in server management	Potential security risks if not properly configured

How

Follow these steps to set up an SSH server on Fedora 40:

sudo systemctl start sshd 
sudo systemctl enable sshd
                

Step 1	Update your system: sudo dnf update -y
Step 2	Install the OpenSSH server package: sudo dnf install -y openssh-server
Step 3	Start and enable the SSH service:
Step 4	Check the status of the SSH service: sudo systemctl status sshd
Step 5	Optionally, configure the SSH settings in: (``/etc/ssh/sshd_config``) to enhance security and customize the setup.

Consequences

Setting up an SSH server on Fedora 40 can have the following consequences:

Positive	Secure remote management of servers. Encrypted data transmission. Enhanced flexibility and control over server access.
Negative	Complex initial setup and configuration. Potential security vulnerabilities if misconfigured. Requires ongoing management and monitoring.

Conclusion

Setting up an SSH server on Fedora 40 is essential for securely managing remote servers. Although the initial setup can be complex and requires careful configuration, the benefits of secure remote access, encrypted communication, and enhanced server management flexibility make it a vital tool for any IT infrastructure. By following this guide, system administrators can ensure their servers are accessible remotely in a secure and efficient manner.

Password Authentication

Configure SSH Server to operate server from remote computers.

Step [1]OpenSSH is already installed by default even if you installed Fedora with Minimal Install, so it does not need to install new packages. You can login with Password Authentication by default.

                     
[root@dlp ~]# systemctl status sshd
*  sshd.service - OpenSSH server daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: ena>
    Drop-In: /usr/lib/systemd/system/service.d
             +-- 10-timeout-abort.conf
     Active: active (running) since Wed 2024-04-24 10:18:23 JST; 2h 12min ago
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 918 (sshd)
      Tasks: 1 (limit: 4637)
     Memory: 2.2M (peak: 2.4M)
        CPU: 19ms
     CGroup: /system.slice/sshd.service
.....
.....
                    
                

Step [2]If Firewalld is running, allow SSH service. SSH uses [22/TCP]. (Generally it is allowed by default)

                     
[root@dlp ~]# firewall-cmd --add-service=ssh
success
[root@dlp ~]# firewall-cmd --runtime-to-permanent
success
                    
                

SSH Client : Fedora

Configure SSH Client for Fedora.

Step [3]Install SSH Client.

                    
[root@client ~]# dnf -y install openssh-clients
                    
                

Step [4]Connect to SSH server with any common user.

                    
# ssh [username@(hostname or IP address)]
[fedora@client ~]$ ssh fedora@dlp.bizantum.lab
The authenticity of host 'dlp.bizantum.lab (10.0.0.30)' can't be established.
ED25519 key fingerprint is SHA256:xB9sL9tkNZXF236635Nzcgv6Bq1qOVRYWjQ+oD8Vwhg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'dlp.bizantum.lab' (ED25519) to the list of known hosts.
fedora@dlp.bizantum.lab's password:
Web console: https://dlp.bizantum.lab:9090/ or https://10.0.0.30:9090/

[fedora@dlp ~]$   # logined
                    
                

Step [5]It's possible to execute commands on remote Host with SSH like follows.

                    
# for example, run [cat /etc/passwd]
[fedora@client ~]$ ssh fedora@dlp.bizantum.lab "cat /etc/passwd"
fedora@dlp.bizantum.lab's password:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
.....
.....
dnsmasq:x:991:990:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/usr/sbin/nologin
tcpdump:x:72:72:tcpdump:/:/usr/sbin/nologin
fedora:x:1000:1000::/home/fedora:/bin/bash
                    
                

SSH Client : Windows#1

Configure SSH Client for Windows. This example is on Windows 11.

Step [6] Download SSH Client software for Windows. On this example, it shows Putty (www.chiark.greenend.org.uk/~sgtatham/putty/). Install and start Putty, then Input your server's Hostname or IP address on [Host name] field and Click [Open] button to connect

Step [7]After successfully passed authentication, it's possible to login and operate Fedora server from remote computers.

SSH Client : Windows#2

Step [8]On Windows 11, OpenSSH Client has been implemented as a Windows feature, so it's possible to use [ssh] command on PowerShell or Command Prompt without Putty or other 3rd party SSH softwares. It's the same usage because it's the OpenSSH Client, refer to [4], [5] section.

SSH File Transfer (Fedora)

It's possible to transfer files via SSH.

Step [1]It's the example for using SCP (Secure Copy).

                     
# command ⇒ scp [Option] Source Target
# copy the [test.txt] on localhost to remote host [node01.bizantum.lab]
[fedora@dlp ~]$ scp ./test.txt fedora@node01.bizantum.lab:~/
fedora@node01.bizantum.lab's password:     # password of the user
test.txt                                      100%   10     0.0KB/s   00:00

# copy the [/home/fedora/test.txt] on remote host [node01.bizantum.lab] to the localhost
[fedora@dlp ~]$ scp fedora@node01.bizantum.lab:/home/fedora/test.txt ./test.txt
fedora@node01.bizantum.lab's password:
test.txt                                      100%   10     0.0KB/s   00:00
                    
                

Step [2] It's the example to use SFTP (SSH File Transfer Protocol). SFTP server feature is enabled by default, but if not, enable it to add the line [Subsystem sftp /usr/libexec/openssh/sftp-server] in [/etc/ssh/sshd_config].

                     
# sftp [Option] [user@host]
[redhat@dlp ~]$ sftp fedora@node01.bizantum.lab
fedora@node01.bizantum.lab's password:    # password of the user
Connected to node01.bizantum.lab.
sftp>

# show current directory on remote host
sftp> pwd
Remote working directory: /home/fedora

# show current directory on localhost
sftp> !pwd
/home/redhat 

# show files in current directory on remote host
sftp> ls -l
drwxrwxr-x    2 fedora     fedora            7 Apr 24 21:33 public_html
-rw-rw-r--    1 fedora     fedora           10 Apr 24 22:53 test.txt

# show files in current directory on localhost
sftp> !ls -l
total 4
-rw-rw-r--    1 redhat     redhat           10 Apr 24 21:53 test.txt

# change directory
sftp> cd public_html
sftp> pwd
Remote working directory: /home/fedora/public_html

# upload a file to remote host
sftp> put test.txt redhat.txt
Uploading test.txt to /home/fedora/redhat.txt
test.txt                           100%   10     0.0KB/s   00:00
sftp> ls -l
drwxrwxr-x    2 fedora     fedora            6 Apr 24 21:33 public_html
-rw-rw-r--    1 fedora     fedora           10 Apr 24 21:39 redhat.txt
-rw-rw-r--    1 fedora     fedora           10 Apr 24 22:53 test.txt

# upload some files to remote host
sftp> put *.txt
Uploading test.txt to /home/fedora/test.txt
test.txt                                           100%   10     0.0KB/s   00:00
Uploading test2.txt to /home/fedora/test2.txt
test2.txt                                          100%    0     0.0KB/s   00:00
sftp> ls -l
drwxrwxr-x    2 fedora     fedora            6 Apr 24 21:33 public_html
-rw-rw-r--    1 fedora     fedora           10 Apr 24 21:39 redhat.txt
-rw-rw-r--    1 fedora     fedora           10 Apr 24 21:45 test.txt
-rw-rw-r--    1 fedora     fedora           10 Apr 24 21:46 test2.txt

# download a file from remote host
sftp> get test.txt
Fetching /home/fedora/test.txt to test.txt
/home/fedora/test.txt                   100%   10     0.0KB/s   00:00

# download some files from remote host
sftp> get *.txt
Fetching /home/fedora/fedora.txt to fedora.txt
/home/fedora/fedora.txt                                       100%   10     0.0KB/s   00:00
Fetching /home/fedora/test.txt to test.txt
/home/fedora/test.txt                                         100%   10     0.0KB/s   00:00
Fetching /home/fedora/test2.txt to test2.txt
/home/fedora/test2.txt                                        100%   10     0.0KB/s   00:00

# create a directory on remote host
sftp> mkdir testdir
sftp> ls -l
drwxrwxr-x    2 fedora     fedora            6 Apr 24 21:33 public_html
-rw-rw-r--    1 fedora     fedora           10 Apr 24 21:39 redhat.txt
-rw-rw-r--    1 fedora     fedora           10 Apr 24 21:45 test.txt
-rw-rw-r--    1 fedora     fedora           10 Apr 24 21:46 test2.txt
drwxrwxr-x    2 fedora     fedora            6 Apr 24 21:53 testdir

# delete a directory on remote host
sftp> rmdir testdir
rmdir ok, `testdir' removed
sftp> ls -l
drwxrwxr-x    2 fedora     fedora            6 Apr 24 21:33 public_html
-rw-rw-r--    1 fedora     fedora           10 Apr 24 21:39 redhat.txt
-rw-rw-r--    1 fedora     fedora           10 Apr 24 21:45 test.txt
-rw-rw-r--    1 fedora     fedora           10 Apr 24 21:46 test2.txt

# delete a file on remote host
sftp> rm test2.txt
Removing /home/fedora/test2.txt
sftp> ls -l 
drwxrwxr-x    2 fedora     fedora            6 Apr 24 21:33 public_html
-rw-rw-r--    1 fedora     fedora           10 Apr 24 21:39 redhat.txt
-rw-rw-r--    1 fedora     fedora           10 Apr 24 Apr 24 21:45 test.txt

# execute commands with ![command]
sftp> !cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
.....
.....
redhat:x:1001:1001::/home/redhat:/bin/bash

# exit
sftp> quit
221 Goodbye.
                    
                

SSH File Transfer (Windows)

It's possible to transfer files via SSH on Windows Client. On this example, it shows WinSCP (winscp.net/eng/download.php) for it. On Windows 11, OpenSSH Client has been implemented as a Windows feature, so it's possible to use [scp], [sftp] commands like the examples here.

Step [1] Install and start WinSCP, then following window is displayed. Input Hostname, Username, User's Password and then Click [Login] button.

Step [2]After successfully passed authentication, it's possible to transfer files on WinSCP via SSH.

SSH Key-Pair Authentication

Configure SSH server to login with Key-Pair Authentication. Create a private key for client and a public key for server to do it.

Step [1]Create Key-Pair by each user, so login with a common user on SSH Server Host and work like follows.

                     
# create key-pair
[fedora@dlp ~]$ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/fedora/.ssh/id_ecdsa):  # Enter or input changes if you want
Enter passphrase (empty for no passphrase):  # set passphrase (if set no passphrase, Enter with empty)
Enter same passphrase again:
Your identification has been saved in /home/fedora/.ssh/id_ecdsa
Your public key has been saved in /home/fedora/.ssh/id_ecdsa.pub
The key fingerprint is:
SHA256:JplBYWJv++klrHHHV6RACnEgMw8YcqJqpxWMQI3sS9c fedora@dlp.bizantum.lab
The key's randomart image is:
.....
.....

[fedora@dlp ~]$ ll ~/.ssh
total 16
-rw-------. 1 fedora fedora 557 Apr 24 12:56 id_ecdsa
-rw-r--r--. 1 fedora fedora 182 Apr 24 12:56 id_ecdsa.pub
-rw-------. 1 fedora fedora 846 Apr 24 12:46 known_hosts
-rw-r--r--. 1 fedora fedora  98 Apr 24 12:46 known_hosts.old

[fedora@dlp ~]$ mv ~/.ssh/id_ecdsa.pub ~/.ssh/authorized_keys
                    
                

Step [2]Transfer the private key created on the Server to a Client, then it's possible to login with Key-Pair authentication.

                     
[fedora@node01 ~]$ mkdir ~/.ssh
[fedora@node01 ~]$ chmod 700 ~/.ssh
# transfer the private key to the local ssh directory
[fedora@node01 ~]$ scp fedora@dlp.bizantum.lab:/home/fedora/.ssh/id_ecdsa ~/.ssh/
fedora@dlp.bizantum.lab's password:
id_ecdsa                                      100%  557     1.7MB/s   00:00

[fedora@node01 ~]$ ssh fedora@dlp.bizantum.lab
Enter passphrase for key '/home/fedora/.ssh/id_ecdsa':   # passphrase if you set
Web console: https://dlp.bizantum.lab:9090/ or https://10.0.0.30:9090/

Last login: Wed Apr 24 12:55:54 2024
[fedora@dlp ~]$   # logined
                    
                

Step [3]If you set [PasswordAuthentication no], it's more secure.

                    
[root@dlp ~]# vi /etc/ssh/sshd_config
# line 65, 69 : uncomment and change to [no]
PasswordAuthentication no
.....
.....
KbdInteractiveAuthentication no
[root@dlp ~]# systemctl restart sshd
                    
                

SSH Key-Pair Authentication on Windows Client #1

This is the example to login to SSH server from Windows Client. It uses Putty on this example. Before it, Transfer a private key to Windows Client.

Step [4] Run [Puttygen.exe] that is included in [Putty]. (placed in the folder [Putty.exe] is also placed) If not included, Download it from official site (www.chiark.greenend.org.uk/~sgtatham/putty/). After starting [Puttygen.exe], Click [Load] button on the following window.

Step [5]Specify the private key that you transferred from SSH server, then passphrase is required like follows, answer it. (if not set passphrase, this step is skipped)

Step [6]Click [Save private key] button to save it under a folder you like with any file name you like.

Step [7]Start Putty and Open [Connection] - [SSH] - [Auth] - [Credentials] on the left pane, then specify your private key on the [Private key file] field.

Step [8]Back to the [Session] on the left pane and specify your SSH server host to Connect.

Step [9]When SSH key-pair is set, the passphrase if it is set is required to login like follows, then answer it.

SSH Key-Pair Authentication on Windows #2

Step [10] On Windows 11, OpenSSH Client has been implemented as a Windows feature, so it's possible to authenticate with SSH Key-Pair without Putty and other 3rd party softwares. Transfer your private key to your Windows 11 and put it under the [(logon user home).ssh] folder like follows, then it's ready to use Key-Pair authentication.

SFTP only + Chroot

Configure SFTP only + Chroot. Some users who are applied this setting can access only with SFTP and also applied chroot directory.

Step [1] For example, Set [/home] as the Chroot directory.

                     
# create a group for SFTP only
[root@dlp ~]# groupadd sftp_users
# for example, set [fedora] user as SFTP only user
[root@dlp ~]# usermod -aG sftp_users fedora
[root@dlp ~]# vi /etc/ssh/sshd_config
# line 123 : comment out and add a line
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

# add to the end
Match Group sftp_users
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory /home
  ForceCommand internal-sftp
[root@dlp ~]# systemctl restart sshd
                    
                

Step [2]Verify working with a user set SFTP only setting.

                     
[fedora@node01 ~]$ ssh dlp.bizantum.lab
fedora@dlp.bizantum.lab's password:
This service allows sftp connections only.
Connection to dlp.bizantum.lab closed.   # denied normally
[fedora@node01 ~]$ sftp dlp.bizantum.lab
fedora@dlp.bizantum.lab's password:
Connected to dlp.bizantum.lab.
sftp> ls -l
drwx------    ? 1000     1000          111 Apr 24 12:46 fedora
drwx------    ? 1001     1002           83 Apr 24 10:54 redhat
sftp> pwd
Remote working directory: /
sftp> exit

                    
                

Use SSH-Agent

Use SSH-Agent to automate inputting Passphrase of SSH Key-Pair authentication.

Step [1]This is some example to use SSH-Agent.

                     
# run SSH-Agent
[fedora@node01 ~]$ eval $(ssh-agent)
Agent pid 1366
# add passphrase
[fedora@node01 ~]$ ssh-add
Enter passphrase for /home/fedora/.ssh/id_ecdsa:
Identity added: /home/fedora/.ssh/id_ecdsa (fedora@dlp.bizantum.lab)
# confirm
[fedora@node01 ~]$ ssh-add -l
256 SHA256:JplBYWJv++klrHHHV6RACnEgMw8YcqJqpxWMQI3sS9c fedora@dlp.bizantum.lab (ECDSA)
# verify to connect without inputting passphrase
[fedora@node01 ~]$ ssh dlp.bizantum.lab hostname
dlp.bizantum.lab
# stop SSH-Agent
# if not execute it, SSH-Agent process remains even if you logout System, be careful
[fedora@node01 ~]$ eval $(ssh-agent -k)
Agent pid 1366 killed