Creating Keys

Here are my basic instructions for generating SSH keys and setting them up with a server.
Generate your keys:
ssh-keygen -f ~/.ssh/id_rsa -b 4096 -C "my ssh keys for homelab jumpbox" -P ''
-C > add a comment optional.
-P '' > Set password to blank optionaly insert a password intbewtween the quotes.

Ensure the SSH agent is started:
eval "$(ssh-agent -s) Should return the pid of the agent e.g.:
>Agent pid 12345

Add your keys (replace id_rsa with file name of your ssh keys):
ssh-add ~/.ssh/id_rsa

Add your keys to the remote server:
ssh-copy-id -i ~/path/to/ssh/public_key USER@IP_ADDRESS

Now you can log in to the remote device using your SSH keys with:
ssh user@IP_ADDRESS

Useful command to remove a host from your “known_hosts” file, replacing the home directory and host with those specific to your setup:
ssh-keygen -f "/home/user/.ssh/known_hosts" -R ""

If you want to add the public key to github. Go to:
Settings > SSH and GPG Lyes > New SSH Key Paste in your SSH public key and give it an appropriate name and description, your good to go.

Enabling SSH Server

Install Open SSH:
sudo dnf install openssh-server

Enable the sshd service:
sudo systemctl start sshd

Check the status:
sudo systemctl status sshd

Check that the port is now available for connections (ss is a socket information tool):
ss ss -lt

Change Port

To change the default port under Fedora Linux, and in any other Linux distribution for that matter, requires a change to the default port option in /etc/ssh/sshd_config to the port number you want to use.
Edit the configuration file manually and change the line # Port 22 to Port 2222 as an example.

Here is a sed command to automate this step:
sed -i -e 's/^#?Port 22/Port 2222/g' /etc/ssh/sshd_config

You should also change the port assignment in systemd socket (only some platforms.) Run the following command to determine if you’ve to do this on your Linux distribution, if the files exists an editor will open (skip this if the a message says the file doesn’t exist:
systemctl edit sshd.socket

Add the following lines into the Socketsection (the line without a value removes any previous port number assignments):


Fedora will also need SE Linux and FirewallD permission and rules changing.

SELinux will by default expect incoming SSH connections to go over port 22, this policy will be adopted to allow traffic on the new port.
THis is done with the semanagecommand, the first command adds the new port to the existing ssh_port_t policy, the second one verifies that it is now present:
semanage port -a -t ssh_port_t -p tcp 722
semanage port -l | grep ssh_port_t

Then use the firewall-cmd to add the specific port and remove port 22 from the firewall polices for SSH.
Add the new port:
firewall-cmd --permanent --service="ssh" --add-port "722/tcp"

Reload the firewall:
firewall-cmd --reload
Reload SSH daemon:
systemctl reload sshd

Now reconnect to the server on the new port to ensure that all is functioning as desired, if it is you can then remove port 22 from the firewall rules:
firewall-cmd --permanent --service="ssh" --remove-port "22/tcp"
firewall-cmd --reload


OPNsesnse NAT Port forward rule

Create a rule with the following parameters assigned (changing the ports to appropriate outside and inside target port numbers):

Interface: WAN
TCP/IP Version: IPv4
Protocol: TCP
Destination: WAN Address
Destination port range: SSH
Redirect target IP:
Description: SSH Access
Filter Rule Association: Pass

Don’t forget the Filter Rule Association as I spent and age once trying to work out why a NAT rule wasn’t working and I hadn’t set this to pass.

Disabling Password Based Authentication

Before you do this ensure your SSH keys are backed up or you have multiple set up so if a machine dies you can still get to the server.

Edit the /etc/ssh/sshd_config file and cchange the following line:
PasswordAuthentication yes
PasswordAuthentication no

Restart the SSH daemon:
sudo systemctl restart sshd