Enable and configure SSH service

This guide describes how to set up SSH service.

Overview

The openssh-server bundle provides the OpenSSH package that enables an SSH service in Clear Linux* OS. Remote users require an SSH service to be able to use an encrypted login shell.

Clear Linux OS enables the sshd.socket unit, which listens on port 22 by default and starts the OpenSSH service as required. The first time OpenSSH starts, it generates the server SSH keys needed for the service.

Prerequisites

Ensure the openssh-server bundle is installed.

To list all bundles on your host, enter:

sudo swupd bundle-list

To add the openssh-server bundle, enter:

sudo swupd bundle-add openssh-server

Change default port

Perform the following steps to change the default listening port for the OpenSSH service.

  1. Open the sshd.socket file:

    sudo systemctl edit sshd.socket
    
  2. Add the [Socket] section and ListenStream option to the sshd.socket file as shown below. The first ListenStream entry removes the Clear Linux OS default listen port value. The second ListenStream entry sets the new default listen port value. In this example, we set the new default port to 4200:

    [Socket]
    ListenStream=
    ListenStream=4200
    

    Make sure to include a new line after the last line of text in the sshd.socket file.

  3. Verify your changes:

    cat /etc/systemd/system/sshd.socket.d/override.conf
    

    The following output is displayed:

    [Socket]
    ListenStream=
    ListenStream=4200
    
  4. Reload the systemd daemon configurations:

    sudo systemctl daemon-reload
    
  5. Restart the sshd.socket unit:

    sudo systemctl restart sshd.socket
    
  6. Confirm the sshd.socket unit is listening on your new port:

    sudo systemctl status sshd.socket
    

    Note

    Output should show Active: as active(listening).

Enable SFTP

Clear Linux OS disables the SFTP subsystem by default due to security considerations. To enable the SFTP subsystem, you must configure the SSHD service file.

  1. Create a systemd drop-in directory for the SSHD service:

    sudo mkdir -p /etc/systemd/system/sshd@.service.d
    
  2. Create the following file: /etc/systemd/system/sshd@.service.d/sftp.conf

  3. Add the OPTIONS environment variable to the sftp.conf file.

    [Service]
    Environment="OPTIONS=-o Subsystem=\"sftp /usr/libexec/sftp-server\""
    
  4. Reload systemd configuration:

    sudo systemctl daemon-reload
    

Congratulations! The SFTP subsystem is enabled.

Enable root login

To enable root login via SSH, perform the following steps:

  1. Create an ssh directory in /etc, if it does not already exist.

    mkdir /etc/ssh
    
  2. Create the following file, if it does not already exist: /etc/ssh/sshd_config

  3. Set the configuration variable in /etc/ssh/sshd_config:

    PermitRootLogin yes
    

Enable X11-forwarding

X11 forwarding allows you to securely run graphical applications (that is, X clients) over the SSH conection. This enables remote GUI apps without the need for full VNC or remote desktop setup. To enable X11-forwarding via SSH, perform the following steps:

  1. Create an ssh directory in /etc, if it does not already exist.

    mkdir /etc/ssh
    
  2. Create the following file, if it does not already exist: /etc/ssh/sshd_config

  3. Set the following configuration variables.

    AllowTcpForwarding yes
    X11UseLocalhost yes
    X11DisplayOffset 10
    X11Forwarding yes