openssh-server

The openssh-server bundle provides the OpenSSH* package needed to enable an SSH service in Clear Linux* OS. Remote users require an SSH service to be able to use an encrypted login shell.

Clear Linux OS enables the sshd.socket unit, which will listen on port 22 by default and start the OpenSSH service as required. The first time OpenSSH starts, it generates the server SSH keys needed for the service.

Prerequisites

Assure the bundle openssh-server is installed.

To check it it’s on your host, enter:

sudo swupd bundle-list

To add it, enter:

sudo swupd bundle-add openssh-server

Change default port

Perform the following steps to change the default listening port for the OpenSSH service:

1. Open the sshd.socket file:

   sudo systemctl edit sshd.socket
   

2. Add the [Socket] section and ListenStream option to the sshd.socket file as shown below. The first ListenStream entry removes the Clear Linux OS default listen port value. The second ListenStream entry sets the new default listen port value. In this example, we set the new default port to 4200:

   [Socket]
   ListenStream=
   ListenStream=4200
   

   Make sure to include a new line after the last line of text in the sshd.socket file.

3. Verify your changes:

   cat /etc/systemd/system/sshd.socket.d/override.conf
   

   You should see the following output:

   [Socket]
   ListenStream=
   ListenStream=4200
   

4. Reload the systemd daemon configurations:

   sudo systemctl daemon-reload
   

5. Restart the sshd.socket unit:

   sudo systemctl restart sshd.socket
   

6. Confirm the the sshd.socket unit is listening on your new port:

   sudo systemctl status sshd.socket
   

   Note

   Output should show Active: as active(listening).

Enable SFTP

Clear Linux OS disables the SFTP subsystem by default due to security considerations. To enable the SFTP subsystem, perform the following configuration of the SSHD service file:

1. Create a systemd drop-in directory for the SSHD service:

   sudo mkdir -p /etc/systemd/system/sshd@.service.d
   

2. Create the following file: /etc/systemd/system/sshd@.service.d/sftp.conf

3. Add the OPTIONS environment variable to the sftp.conf file.

   [Service]
   Environment="OPTIONS=-o Subsystem=\"sftp /usr/libexec/sftp-server\""
   

4. Reload systemd configuration:

   sudo systemctl daemon-reload
   

Congratulations! The SFTP subsystem is enabled.

Enable root login

To enable root login via SSH, perform the following steps:

1. Create a ssh directory in /etc, if it does not already exist.

   mkdir /etc/ssh
   

2. Create the following file, if it does not already exist: /etc/ssh/sshd_config

3. Set the configuration variable in /etc/ssh/sshd_config

   PermitRootLogin yes
   

Enable X11-forwarding

X11 forwarding allows you to securely run graphical applications (i.e., X clients) over the ssh conection. This will alow for remote gui apps without the need for full VNC/remotedesktop. To enable X11-forwarding via SSH, perform the following steps:

1. Create a ssh directory in /etc, if it does not already exist.

   mkdir /etc/ssh
   

2. Create the following file, if it does not already exist: /etc/ssh/sshd_config

3. Set the configuration variables.

   AllowTcpForwarding yes
   X11UseLocalhost yes
   X11DisplayOffset 10
   X11Forwarding yes