From a26310fc24a37663ec1e14017b06117d469ff8c7 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Oct 25 2020 20:38:07 +0000 Subject: Clarify how to change server configuration using drop-in directory and files --- diff --git a/modules/system-administrators-guide/pages/infrastructure-services/OpenSSH.adoc b/modules/system-administrators-guide/pages/infrastructure-services/OpenSSH.adoc index 979d6c2..f4fbf89 100644 --- a/modules/system-administrators-guide/pages/infrastructure-services/OpenSSH.adoc +++ b/modules/system-administrators-guide/pages/infrastructure-services/OpenSSH.adoc @@ -251,14 +251,14 @@ See xref:infrastructure-services/Services_and_Daemons.adoc#ch-Services_and_Daemo [[s2-ssh-configuration-keypairs]] === Using Key-based Authentication indexterm:[OpenSSH,using key-based authentication] -To improve the system security even further, generate SSH key pairs and then enforce key-based authentication by disabling password authentication. To do so, open the `/etc/ssh/sshd_config` configuration file in a text editor such as [application]*vi* or [application]*nano*, and change the [option]`PasswordAuthentication` option as follows: +To improve the system security even further, generate SSH key pairs and then enforce key-based authentication by disabling password authentication. To do so, create a drop-in configuration file, for example `/etc/ssh/sshd_config.d/01-local.conf`. Make sure it is lexicographically before the `50-redhat.conf` file, providing Fedora defaults. In a text editor such as [application]*vi* or [application]*nano* insert the [option]`PasswordAuthentication` option as follows: [subs="quotes"] ---- PasswordAuthentication no ---- -If you are working on a system other than a new default installation, check that [command]#PubkeyAuthentication no# has *not* been set. If connected remotely, not using console or out-of-band access, testing the key-based log in process before disabling password authentication is advised. +If you are working on a system other than a new default installation, check that [command]#PubkeyAuthentication no# has *not* been set in neither `/etc/ssh/sshd_config` nor any included file from drop-in directory. If connected remotely, not using console or out-of-band access, testing the key-based log in process before disabling password authentication is advised. To be able to use [command]#ssh#, [command]#scp#, or [command]#sftp# to connect to the server from a client machine, generate an authorization key pair by following the steps below. Note that keys must be generated for each user separately.