RHEL 8 SSH Hardening Guide

Description

Hardening the configuration of the SSH server is an important step in hardening your server.

RHEL 8 uses the system-wide crypto-policies framework to control SSH cryptographic algorithms. See Notes.

Relevant to

  • RHEL 8.x - all versions

Prerequisites

  • TOS must be installed on the server prior to implementing this resolution.

  • Root or sudo access to the operating system.

Notes

Changes made directly to the following parameters in /etc/ssh/sshd_config may not be reflected in the algorithms advertised by the SSH daemon:

  • Ciphers

  • MACs

  • KexAlgorithms

  • HostKeyAlgorithms

The active OpenSSH server crypto-policy configuration can be viewed in: /etc/crypto-policies/back-ends/opensshserver.config.

Administrators should verify the effective SSH configuration after making cryptographic changes and confirm the advertised algorithms using standard OpenSSH diagnostic tools.

You will need to restart the sshd service after making the recommended changes. The service restart is included in the resolution steps below.

Resolution

  1. Edit the file /etc/ssh/sshd_config, and set the fields listed below to the values listed. You may have to delete the comment character ('#') from some entries.

    X11Forwarding no
    Banner /etc/banner
    ClientAliveInterval 3600
    ClientAliveCountMax 0
    AllowAgentForwarding no
    AllowTcpForwarding no

  2. Remove deprecated SHA-1 SSH algorithms.

    sudo update-crypto-policies --set DEFAULT:NO-SHA1

  3. Restart the sshd service

    sudo systemctl restart sshd

  4. Verify the resulting SSH algorithm set using standard OpenSSH diagnostic tools.

  5. If required, restore the default RHEL crypto policy, and then restart the sshd service.

    sudo update-crypto-policies --set DEFAULT
    sudo systemctl restart sshd

We recommend installing all official security updates and security patches for your RHEL 8 version.