SSH (Secure Shell)
🔐 SSH란?
네트워크를 통해 원격 컴퓨터에 안전하게 접속하기 위한 프로토콜입니다.
기존의 telnet, rsh 등이 평문(암호화 없이) 통신했던 것을 암호화된 통신으로 대체합니다.
- 기본 포트: 22번
- 현재 표준: SSH-2 (SSH-1은 보안 취약점으로 사용 안 함)
# SSH 동작 구조
Client (ssh)
↓
암호화 통신
↓
Server (sshd)
# SSH 접속 과정
1 Client → Server 연결
2 Key 교환
3 암호화 알고리즘 협상
4 사용자 인증
5 세션 생성
# SSH 로그 확인
journalctl -u sshd
또는
/var/log/secure
📦 구성 요소
| 구성 | 설명 |
|---|---|
| openssh | SSH 핵심 라이브러리 |
| openssh-server | 서버 측 데몬 (sshd) — 방금 설치한 것 |
| openssh-clients | 클라이언트 측 (ssh, scp, sftp 명령어) |
🔑 인증 방식
1. 비밀번호 인증
클라이언트 → 서버에 ID/PW 입력
2. 키 기반 인증 (더 안전, 실무 권장)
개인키(Private Key) — 클라이언트 보관 공개키(Public Key) — 서버에 등록
bash
ssh-keygen # 키 생성 ssh-copy-id user@서버IP # 공개키 서버에 등록
⚙️ 주요 설정 파일
| 파일 | 역할 |
|---|---|
/etc/ssh/sshd_config | 서버 핵심 설정 (포트, 인증방식 등) |
/etc/ssh/sshd_config.d/50-redhat.conf | Rocky/RHEL 기본 설정 |
/etc/pam.d/sshd | PAM 인증 연동 설정 |
/etc/sysconfig/sshd | sshd 서비스 환경변수 |
🚀 서비스 시작
bash
sudo systemctl start sshd # 시작 sudo systemctl enable sshd # 부팅 시 자동 시작 sudo systemctl enable --now sshd # 부팅 시 자동 시작 + 지금 당장 시작 sudo systemctl status sshd # 상태 확인
🛡️ 보안 핵심 포인트
- 포트 변경 — 기본 22번에서 다른 포트로 변경 권장
- root 로그인 차단 —
PermitRootLogin no - 비밀번호 인증 비활성화 — 키 인증만 허용
- 방화벽 설정 — 허용된 IP만 접근 가능하도록
패키지 상세 정보
공식 홈페이지 https://www.openssh.org/portable.html
# 패키지 상세 정보 (버전, 크기, 의존성 등) dnf info openssh-server
[lycos7560@DMT-RL01 ~]$ dnf info openssh-server
Rocky Linux 10 - BaseOS 7.7 MB/s | 14 MB 00:01
Rocky Linux 10 - AppStream 2.4 MB/s | 2.2 MB 00:00
Rocky Linux 10 - Extras 9.6 kB/s | 6.0 kB 00:00
Installed Packages
Name : openssh-server
Version : 9.9p1 #현재 설치된 버전 확인 → 보안 취약점(CVE) 이 해당 버전에 있는지 체크
Release : 12.el10_1.rocky.0.1 #el10 = RHEL/Rocky 10 전용 빌드
Architecture : x86_64
Size : 1.4 M
Source : openssh-9.9p1-12.el10_1.rocky.0.1.src.rpm #어떤 소스 RPM으로 빌드됐는지 추적 가능
Repository : @System #@System = 이미 설치된 패키지
From repo : baseos #baseos = Rocky Linux 공식 저장소에서 설치됨 → 신뢰할 수 있는 출처 확인용
Summary : An open source SSH server daemon
URL : http://www.openssh.com/portable.html
License : BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND
: X11-distribute-modifications-variant
Description : OpenSSH is a free version of SSH (Secure SHell), a program for logging
: into and executing commands on a remote machine. This package contains
: the secure shell daemon (sshd). The sshd daemon allows SSH clients to
: securely connect to your SSH server.
설치 파일 목록 확인
# 어떤 파일들이 설치되는지 목록 확인 dnf repoquery -l openssh-server | less # less ↑↓ 또는 j/k 로 스크롤 q 로 종료 /키워드 로 검색
[lycos7560@DMT-RL01 ~]$ dnf repoquery -l openssh-server | less /etc/pam.d/sshd /etc/ssh/sshd_config /etc/ssh/sshd_config.d /etc/ssh/sshd_config.d/40-redhat-crypto-policies.conf /etc/ssh/sshd_config.d/50-redhat.conf /etc/sysconfig/sshd /usr/lib/.build-id /usr/lib/.build-id/06 /usr/lib/.build-id/06/1c704bdb361c2e2c48c670468eafbc74b84927 /usr/lib/.build-id/57 /usr/lib/.build-id/57/9225214b8a13e39081dd8aa43fbd36e524f19c /usr/lib/.build-id/9c /usr/lib/.build-id/9c/f8143dfdfc74c6c9d0e90afd0ec92e8663c759 /usr/lib/systemd/system/ssh-host-keys-migration.service /usr/lib/systemd/system/ssh-host-keys-migration.target /usr/lib/systemd/system/sshd-keygen@.service /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.socket /usr/lib/systemd/system/sshd@.service /usr/lib/sysusers.d/openssh-server.conf /usr/libexec/openssh/sftp-server /usr/libexec/openssh/ssh-host-keys-migration.sh /usr/libexec/openssh/sshd-keygen /usr/libexec/openssh/sshd-session /usr/sbin/sshd /usr/share/empty.sshd /usr/share/man/man5/moduli.5.gz /usr/share/man/man5/sshd_config.5.gz /usr/share/man/man8/sftp-server.8.gz /usr/share/man/man8/sshd.8.gz /var/lib/.ssh-host-keys-migration /etc/pam.d/sshd /etc/ssh/sshd_config /etc/ssh/sshd_config.d /etc/ssh/sshd_config.d/40-redhat-crypto-policies.conf /etc/ssh/sshd_config.d/50-redhat.conf /etc/sysconfig/sshd /usr/lib/.build-id /usr/lib/.build-id/0e /usr/lib/.build-id/0e/106f434f63522d0cbc3da80690094ec44ec56e /usr/lib/.build-id/17 /usr/lib/.build-id/17/3d9a1c99482d77a79428b6d7779247b2f90e57 /usr/lib/.build-id/cf /usr/lib/.build-id/cf/dde200fededbedd053eae13337cc9d3e8b0625 /usr/lib/systemd/system/ssh-host-keys-migration.service /usr/lib/systemd/system/ssh-host-keys-migration.target /usr/lib/systemd/system/sshd-keygen@.service /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.socket /usr/lib/systemd/system/sshd@.service /usr/lib/sysusers.d/openssh-server.conf /usr/libexec/openssh/sftp-server /usr/libexec/openssh/ssh-host-keys-migration.sh /usr/libexec/openssh/sshd-keygen /usr/libexec/openssh/sshd-session /usr/sbin/sshd /usr/share/empty.sshd /usr/share/man/man5/moduli.5.gz /usr/share/man/man5/sshd_config.5.gz /usr/share/man/man8/sftp-server.8.gz /usr/share/man/man8/sshd.8.gz /var/lib/.ssh-host-keys-migration (END)
설치되는 의존성 패키지 확인
# 어떤 파일들이 설치되는지 목록 확인 dnf deplist openssh-server | less
[lycos7560@DMT-RL01 ~]$ dnf deplist openssh-server | less
package: openssh-server-9.9p1-11.el10.rocky.0.1.x86_64
dependency: /bin/sh
provider: bash-5.2.26-6.el10.x86_64
dependency: /usr/bin/bash
provider: bash-5.2.26-6.el10.x86_64
dependency: /usr/sbin/useradd
provider: shadow-utils-2:4.15.0-8.el10.x86_64
dependency: crypto-policies >= 20220824-1
provider: crypto-policies-20250905-2.gitc7eb7b2.el10_1.1.noarch
dependency: libaudit.so.1()(64bit)
provider: audit-libs-4.0.3-4.el10.x86_64
dependency: libc.so.6(GLIBC_2.38)(64bit)
provider: glibc-2.39-58.el10_1.7.x86_64
dependency: libcom_err.so.2()(64bit)
provider: libcom_err-1.47.1-4.el10.x86_64
dependency: libcrypt.so.2()(64bit)
provider: libxcrypt-4.4.36-10.el10.x86_64
dependency: libcrypt.so.2(XCRYPT_2.0)(64bit)
provider: libxcrypt-4.4.36-10.el10.x86_64
dependency: libcrypto.so.3()(64bit)
provider: openssl-libs-1:3.5.1-7.el10_1.x86_64
dependency: libcrypto.so.3(OPENSSL_3.0.0)(64bit)
provider: openssl-libs-1:3.5.1-7.el10_1.x86_64
dependency: libgssapi_krb5.so.2()(64bit)
provider: krb5-libs-1.21.3-8.el10_0.x86_64
dependency: libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit)
provider: krb5-libs-1.21.3-8.el10_0.x86_64
dependency: libkrb5.so.3()(64bit)
provider: krb5-libs-1.21.3-8.el10_0.x86_64
dependency: libkrb5.so.3(krb5_3_MIT)(64bit)
provider: krb5-libs-1.21.3-8.el10_0.x86_64
dependency: libpam.so.0()(64bit)
provider: pam-libs-1.6.1-8.el10.x86_64
dependency: libpam.so.0(LIBPAM_1.0)(64bit)
provider: pam-libs-1.6.1-8.el10.x86_64
dependency: libselinux.so.1()(64bit)
provider: libselinux-3.9-1.el10.x86_64
dependency: libselinux.so.1(LIBSELINUX_1.0)(64bit)
provider: libselinux-3.9-1.el10.x86_64
dependency: libz.so.1()(64bit)
provider: zlib-ng-compat-2.2.3-3.el10_1.x86_64
dependency: openssh = 9.9p1-11.el10.rocky.0.1
provider: openssh-9.9p1-11.el10.rocky.0.1.x86_64
dependency: pam >= 1.0.1-3
provider: pam-1.6.1-8.el10.x86_64
dependency: rtld(GNU_HASH)
provider: glibc-2.39-58.el10_1.7.x86_64
dependency: systemd
provider: systemd-257-13.el10.rocky.0.1.x86_64
package: openssh-server-9.9p1-12.el10_1.rocky.0.1.x86_64
dependency: /bin/sh
provider: bash-5.2.26-6.el10.x86_64
dependency: /usr/bin/bash
provider: bash-5.2.26-6.el10.x86_64
dependency: /usr/sbin/useradd
provider: shadow-utils-2:4.15.0-8.el10.x86_64
dependency: crypto-policies >= 20220824-1
provider: crypto-policies-20250905-2.gitc7eb7b2.el10_1.1.noarch
dependency: libaudit.so.1()(64bit)
provider: audit-libs-4.0.3-4.el10.x86_64
dependency: libc.so.6(GLIBC_2.38)(64bit)
provider: glibc-2.39-58.el10_1.7.x86_64
dependency: libcom_err.so.2()(64bit)
provider: libcom_err-1.47.1-4.el10.x86_64
dependency: libcrypt.so.2()(64bit)
provider: libxcrypt-4.4.36-10.el10.x86_64
dependency: libcrypt.so.2(XCRYPT_2.0)(64bit)
provider: libxcrypt-4.4.36-10.el10.x86_64
dependency: libcrypto.so.3()(64bit)
provider: openssl-libs-1:3.5.1-7.el10_1.x86_64
dependency: libcrypto.so.3(OPENSSL_3.0.0)(64bit)
provider: openssl-libs-1:3.5.1-7.el10_1.x86_64
dependency: libgssapi_krb5.so.2()(64bit)
provider: krb5-libs-1.21.3-8.el10_0.x86_64
dependency: libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit)
provider: krb5-libs-1.21.3-8.el10_0.x86_64
dependency: libkrb5.so.3()(64bit)
provider: krb5-libs-1.21.3-8.el10_0.x86_64
dependency: libkrb5.so.3(krb5_3_MIT)(64bit)
provider: krb5-libs-1.21.3-8.el10_0.x86_64
dependency: libpam.so.0()(64bit)
provider: pam-libs-1.6.1-8.el10.x86_64
dependency: libpam.so.0(LIBPAM_1.0)(64bit)
provider: pam-libs-1.6.1-8.el10.x86_64
dependency: libselinux.so.1()(64bit)
provider: libselinux-3.9-1.el10.x86_64
dependency: libselinux.so.1(LIBSELINUX_1.0)(64bit)
provider: libselinux-3.9-1.el10.x86_64
dependency: libz.so.1()(64bit)
provider: zlib-ng-compat-2.2.3-3.el10_1.x86_64
dependency: openssh = 9.9p1-12.el10_1.rocky.0.1
provider: openssh-9.9p1-12.el10_1.rocky.0.1.x86_64
dependency: pam >= 1.0.1-3
provider: pam-1.6.1-8.el10.x86_64
dependency: /usr/sbin/useradd
provider: shadow-utils-2:4.15.0-8.el10.x86_64
dependency: crypto-policies >= 20220824-1
provider: crypto-policies-20250905-2.gitc7eb7b2.el10_1.1.noarch
dependency: libaudit.so.1()(64bit)
provider: audit-libs-4.0.3-4.el10.el10.x86_64
dependency: libc.so.6(GLIBC_2.38)(64bit)
provider: glibc-2.39-58.el10_1.7.x86_64
dependency: libcom_err.so.2()(64bit)
provider: libcom_err-1.47.1-4.el10.x86_64
dependency: libcrypt.so.2()(64bit)
provider: libxcrypt-4.4.36-10.el10.x86_64
dependency: libcrypt.so.2(XCRYPT_2.0)(64bit)
provider: libxcrypt-4.4.36-10.el10.x86_64
dependency: libcrypto.so.3()(64bit)
provider: openssl-libs-1:3.5.1-7.el10_1.x86_64
dependency: libcrypto.so.3(OPENSSL_3.0.0)(64bit)
provider: openssl-libs-1:3.5.1-7.el10_1.x86_64
dependency: libgssapi_krb5.so.2()(64bit)
provider: krb5-libs-1.21.3-8.el10_0.x86_64
dependency: libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit)
provider: krb5-libs-1.21.3-8.el10_0.x86_64
dependency: libkrb5.so.3()(64bit)
provider: krb5-libs-1.21.3-8.el10_0.x86_64
dependency: libkrb5.so.3(krb5_3_MIT)(64bit)
provider: krb5-libs-1.21.3-8.el10_0.x86_64
dependency: libpam.so.0()(64bit)
provider: pam-libs-1.6.1-8.el10.x86_64
dependency: libpam.so.0(LIBPAM_1.0)(64bit)
provider: pam-libs-1.6.1-8.el10.x86_64
dependency: libselinux.so.1()(64bit)
provider: libselinux-3.9-1.el10.x86_64
dependency: libselinux.so.1(LIBSELINUX_1.0)(64bit)
provider: libselinux-3.9-1.el10.x86_64
dependency: libz.so.1()(64bit)
provider: zlib-ng-compat-2.2.3-3.el10_1.x86_64
dependency: openssh = 9.9p1-12.el10_1.rocky.0.1
provider: openssh-9.9p1-12.el10_1.rocky.0.1.x86_64
dependency: pam >= 1.0.1-3
provider: pam-1.6.1-8.el10.x86_64
dependency: rtld(GNU_HASH)
provider: glibc-2.39-58.el10_1.7.x86_64
dependency: systemd
provider: systemd-257-13.el10.rocky.0.1.x86_64
(END)
