Network Administration

This tutorial explains how to configure SSH Server and SSH client in Linux step by step with examples.

RHCE Exam objective covered in this tutorial

  • Configure key-based SSH authentication.
  • Configure additional SSH options described in documentation.

As a Linux administrator you should know

  • SSH stand for Secure Shell.
  • SSH is a network protocol for secure data communication.
  • SSH protocol allows remote command line login.
  • SSH protocol enables remote command execution.
  • To use SSH you need to deploy SSH Server and SSH Client program respectively.
  • OpenSSH is a FREE version of the SSH.
  • Telnet, rlogin, and ftp transmit unencrypted data over internet.
  • OpenSSH encrypt data before sending it over insecure network like internet.
  • OpenSSH effectively eliminate eavesdropping, connection hijacking, and other attacks.
  • OpenSSH provides secure tunneling and several authentication methods.
  • OpenSSH replace Telnet and rlogin with SSH, rcp with scp, ftp with sftp.

SSH Tools

For RHCE exam you should know following SSH tools

sshd

The daemon service that implements the ssh server. By default it must be listening on port 22 TCP/IP.

ssh

The ssh [ Secure Shell command ] is a secure way to log and execute commands in to SSH Server system.

scp

The Secure Copy command is a secure way to transfer files between computers using the private/public key encryption method.

ssh-keygen

This utility is used to create the public/private keys.

ssh-agent

This utility holds private keys used for RSA authentication.

ssh-add

Adds RSA identities to the authentication agent ssh-agent.

Labs exercises

  • Configure a SSH server and SSH client on RHEL6.
  • Create two user user1 and user2 and verify that both users can login in SSH server from SSH client.
  • Do not allow root and user1 users to login to it and allow the rest of users. To confirm it login from user2.
  • Re-configure SSH Server to allow login only using public / private keys. Generate keys for user2 and verify that user2 can login using keys.
  • Change default ssh port to 2223

In this tutorial I will use two systems Server and linuxclient from our LAB environment. I will configure OpenSSH Server on Server system and OpenSSH client on linuxclient system. If you want to check the network topology used in this article please check following article. Lab set up for RHCE 6 practice.

LAB Exercise solutions

Configure a SSH server and SSH client on RHEL6.

How to configure SSH Server in RHEL6

Two RPM are required to configure and run OpenSSH server.

  • openssh-server
  • openssh

Before you start configuration make sure that you have necessary RPM packages installed. Install if any RPM is missing.

rpm-qa-server

Check the current status of sshd service, it must be running. If service is stopped start it. Options you need with service command are start | stop | restart | status

service-sshd-status-server

Configure it to start when the system is booted

chkconfig-sshd-server

IP address of OpenSSH server is required, note it down

ifconfig-eth0-server

In RHCE exam you need to configure a firewall to either block or allow network communication through one or more ports. So if you have configured firewall then you have to allow SSH.

iptables-rule-server

That all setting which we need on server.

How to configure SSH client on RHEL 6

openssh-clients rpm is required for ssh client.

Check necessary RPM, install if any missing

rpm-qa-client

Check sshd service status it must be running. Start it if it is off

service-sshd-status-client

Configure sshd service to start to at boot time

service-sshd-status-client

Check connectivity from SSH server

ping-server

That's all setting which we need on client system.

Create two user user1 and user2 and verify that both users can login in SSH server from SSH client.

Go on server and create two users user1 and user2

useradd-server

Open main configuration file sshd_config

vi-sshd-config

Check the value of PasswordAuthentication directive. In order to accept local user password base authentication it must be set to yes. Set it to yes if it is set to no and save the file.

password-authentication-yes

Restart the service if you have made any change in sshd_config

service-sshd-restart

Go on linuxclient system and verify that both users can login in SSH server. Also verify from root user.

ssh-login-clinet

Do not allow root and user1 users to login to it and allow the rest of users. To confirm it login from user2.

User and Host Based Security

Following additional directives can be added to /etc/sshd/sshd_config file in order to make the ssh server more restrictive.

Block empty passwords

PermitEmptyPasswords no

Block root user to log on the system using ssh.

PermitRootLogin no

Limit the users allowed to access a system via SSH. In this case only users 'laxmi' and 'vinita' are allowed to login on the system using SSH

AllowUsers laxmi vinita

Make it more restrictive and add node address with user name. In following case only allow login through SSH users 'laxmi' and 'vinita' from 192.168.1.10 node.

AllowUsers laxmi@192.168.1.10 vinita@192.168.1.10

In addition you can restrict the access to users. In this case all users except 'user1' are allowed to connect to the SSH server.

DenyUsers user1

Go back on server and open main configuration file again

vi-sshd-config

In the end of file add following directives and save the file

PermitRootLogin no
DenyUsers user1

block-root

Restart the sshd service

service-sshd-restart

Go back on linuxclient system and verify that we have blocked user1 and root. Also verify that user2 able to login in SSH server.

root-blocked-client

Re-configure SSH Server to allow login only using public / private keys. Generate keys for user2 and verify that user2 can login using keys.

To make Linux server more secure linux administrator usually disable password authentication on the SSH server and allow only public/private keys authentication.

Private Keys

Private keys are stored on server and must be secured. Anything encrypted with public key can only be decrypted with paired private key. So it must be accessible only to the user owner of that key, in the .ssh subdirectory of that user's home directory.

Public Keys

Public keys are publicly available. Public keys are required to connect with server. The public keys for SSH servers belong on administrative workstations.

Go back on server and open main configuration file again

vi-sshd-config

Uncomment following directives and save the file

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

rsa-auth-server

Restart the sshd service

service-sshd-restart

Login form user2 and create a ssh directory with permission 755

mkdir-ssh-server

Come back on linuxclient system and create a normal user account user2.

useradd-client

Login form user2 and create a ssh directory with permission 755

mkdir-ssh-client

Generate the public/private key pair. Accept default location for key file.

accept-default-location

Enter passphrase 'I love linux' and confirm

ssh-keygen-client

Public key is stored in /home/user2/.ssh/id_rsa.pub. Create a copy of public key

authorized-keys-client

Copy the authorized_keys file on server to /home/user2/.ssh/authorized_keys. Enter user2 [user account on server] password when asked

 scp

On server verify that we have successfully copied public key on server. Also set permission to 644 for authorized_keys

chmod-authorized-key

Login from root on server and open sshd_config file

vi-sshd-config

Set PasswordAuthentication directive to no and save the file. This will block login using password.

password-authentication-no

Restart the sshd service

service-sshd-restart

Come back on linuxclient system.

Logout from user2 and login back.

Now try to login from user2 on linuxclient. Enter passphrase 'I love linux'

login-sucess-client-user2

Change default ssh port to 2223

Come on server and open sshd_config file again

vi-sshd-config

Uncomment following directive and change value to 2223

#port 22

change-port-server

restart the sshd service

service-sshd-restart

Go back on linuxclient system and try to connect with default port

connect-with-default-port

Now specify the new port

connection-accepted

SSH Configuration files

There are two different sets of configuration files

  • System-wide SSH configuration :- stored in the /etc/ssh/ directory
  • User-specific SSH configuration :- stored in ~/.ssh/ within the user's home directory

System-wide configuration files

File Description
/etc/ssh/ssh_config The default SSH client configuration file.
/etc/ssh/sshd_config The configuration file for the sshd daemon.
/etc/ssh/ssh_host_dsa_key The DSA private key used by the sshd daemon.
/etc/ssh/ssh_host_dsa_key.pub The DSA public key used by the sshd daemon.
/etc/ssh/ssh_host_key The RSA private key used by the sshd daemon for version 1 of the SSH protocol.
/etc/ssh/ssh_host_key.pub The RSA public key used by the sshd daemon for version 1 of the SSH protocol.
/etc/ssh/ssh_host_rsa_key The RSA private key used by the sshd daemon for version 2 of the SSH protocol.
/etc/ssh/ssh_host_rsa_key.pub The RSA public key used by the sshd daemon for version 2 of the SSH protocol.

User-specific configuration files

File Description
~/.ssh/authorized_keys Holds a list of authorized public keys for servers.
~/.ssh/id_dsa Contains the DSA private key of the user.
~/.ssh/id_dsa.pub The DSA public key of the user.
~/.ssh/id_rsa The RSA private key used by ssh for version 2 of the SSH protocol.
~/.ssh/id_rsa.pub The RSA public key used by ssh for version 2 of the SSH protocol.
~/.ssh/identity The RSA private key used by ssh for version 1 of the SSH protocol.
~/.ssh/identity.pub The RSA public key used by ssh for version 1 of the SSH protocol.
~/.ssh/known_hosts Contains DSA host keys of SSH servers accessed by the user.