Enable SSH on Fedora Linux
[md]
By default, Fedora doesn’t enable SSH access. You’ll need to install OpenSSH server, start the service, and configure your firewall to allow connections.
## Install OpenSSH Server
sudo dnf install openssh-server openssh-clientsThe openssh-clients package provides the ssh command for connecting to other machines, while openssh-server allows incoming connections.
## Start and Enable the SSH Service
sudo systemctl start sshd
sudo systemctl enable sshdThe enable command makes SSH start automatically on boot. Verify it’s running:
sudo systemctl status sshdYou should see “active (running)” in the output.
## Configure the Firewall
Fedora uses firewalld by default. Open port 22 for SSH:
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reloadVerify the rule is active:
sudo firewall-cmd --list-servicesYou should see ssh in the list.
## Test Your SSH Connection
From another machine on the same network:
ssh username@fedora-host-ipFind your Fedora machine’s IP address:
ip addr show | grep 'inet '## SSH Configuration Hardening
For production use, edit /etc/ssh/sshd_config to improve security:
**Disable root login:**
PermitRootLogin no**Disable password authentication (use keys only):**
PasswordAuthentication no
PubkeyAuthentication yes**Change the default port (optional):**
Port 2222If you change the port, update the firewall:
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload**Limit access to specific users:**
AllowUsers alice bobAfter any configuration change, restart the service:
sudo systemctl restart sshd## Set Up SSH Key Authentication
Generate a key pair on your client machine:
ssh-keygen -t ed25519 -C "your-email@example.com"Copy the public key to your Fedora server:
ssh-copy-id username@fedora-host-ipOr manually if ssh-copy-id isn’t available:
cat ~/.ssh/id_ed25519.pub | ssh username@fedora-host-ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"Test the connection — you should log in without a password prompt.
## SELinux Considerations
Fedora enforces SELinux by default. SSH generally works out of the box, but if you encounter issues:
Check SELinux status:
getenforceIf SSH can’t read authorized_keys:
sudo restorecon -Rv ~/.sshIf you changed the SSH port, tell SELinux:
sudo semanage port -a -t ssh_port_t -p tcp 2222## Troubleshooting
**Connection refused:**
sudo systemctl status sshd # Is it running?
sudo firewall-cmd --list-services # Is SSH allowed?**Permission denied:**
Check file permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys**Slow connection:**
DNS reverse lookup can cause delays. Add to sshd_config:
UseDNS no**Check SSH logs:**
sudo journalctl -u sshd --since "1 hour ago"## SSH Host Keys
When you first connect to a Fedora server, SSH verifies the host fingerprint:
The authenticity of host '192.168.1.100' can't be established.
ED25519 key fingerprint is SHA256:xxxxx.
Are you sure you want to continue connecting (yes/no)?Type yes to accept. The fingerprint is saved in ~/.ssh/known_hosts.
If you reinstall Fedora or change the host keys, you’ll see a warning:
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!Remove the old key:
ssh-keygen -R 192.168.1.100Then reconnect and accept the new fingerprint.
## Using SSH Config for Convenience
Instead of typing full connection strings every time, configure shortcuts in ~/.ssh/config:
Host fedora
HostName 192.168.1.100
User alice
Port 2222
IdentityFile ~/.ssh/id_ed25519
ForwardAgent yesNow connect with just:
ssh fedoraYou can also configure multiplexing to reuse connections:
Host *
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h-%p
ControlPersist 600mkdir -p ~/.ssh/socketsThis keeps connections alive for 10 minutes after you disconnect, making subsequent connections instant.