RHEL8: Configure sshd

Posted on: 15 February, 2021 15 February, 2021
Author: niklas
Tags: rhel, RHEL8, ssh

Edit sshd_config

vi /etc/ssh/sshd_config

Replace text in file with below

#AcceptEnv
AddressFamily any
AllowAgentForwarding yes
AllowGroups remoteadmins
AllowTcpForwarding no
AllowStreamLocalForwarding no
#AllowUsers
AuthenticationMethods publickey
#AuthorizedKeysCommand
#AuthorizedKeysCommandUser
#AuthorizedPrincipalsCommand
#AuthorizedPrincipalsCommandUser
AuthorizedPrincipalsFile none
#Banner
ChallengeResponseAuthentication yes
ChrootDirectory none
#Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
ClientAliveCountMax 90
ClientAliveInterval 1
Compression no
DenyGroups root daemon
DenyUsers root
FingerprintHash sha256
ForceCommand none
GatewayPorts no
GSSAPIAuthentication no
GSSAPIKeyExchange no
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIStoreCredentialsOnRekey yes
HostbasedAuthentication no
HostbasedUsesNameFromPacketOnly no
HostCertificate none
HostKey "/etc/ssh/ssh_host_ed25519_key"
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ssh-rsa-cert-v01@openssh.com
IgnoreRhosts yes
IgnoreUserKnownHosts no
KbdInteractiveAuthentication no
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256
#ListenAddress
LoginGraceTime 20
LogLevel info
MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
MaxAuthTries 2
MaxSessions 5
MaxStartups 10:30:1000
PasswordAuthentication no
PermitEmptyPasswords no
PermitOpen none
#PermitRootLogin no
PermitRootLogin forced-commands-only
PermitTunnel no
PermitTTY yes
PermitUserEnvironment no
PermitUserRC yes
PidFile "/var/run/sshd.pid"
Port 22
PrintLastLog yes
PrintMotd no
Protocol 2
PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ssh-rsa-cert-v01@openssh.com
PubkeyAuthentication yes
RekeyLimit 500M:30s
RevokedKeys none
StreamLocalBindMask 0177
StreamLocalBindUnlink no
StrictModes yes
#Subsystem
SyslogFacility AUTH
TCPKeepAlive no
#TrustedUserCAKeys
UseDNS no
UsePAM yes
UsePrivilegeSeparation sandbox
VersionAddendum none
X11DisplayOffset 10
X11Forwarding no
X11UseLocalhost yes
XAuthLocation /usr/bin/xauth

Edit visudo, and add following row in section Same thing without a password

USER ALL=(ALL)       NOPASSWD: ALL

and uncomment row, save and exit file.

%wheel  ALL=(ALL)       NOPASSWD: ALL

niklas

Leave a Reply Cancel reply