This tutorial explains how to configure and manage SSH Server and SSH Client in Linux step by step with practical examples. Learn how to install, enable and start SSH Server and SSH client; generate SSH public keys and SSH private keys for key based authentication and configure User and Host Based Security in detail.
As a Linux administrator you should know
- SSH stand for Secure Shell.
- SSH is a network protocol for secure data communication.
- SSH protocol allows remote command line login.
- SSH protocol enables remote command execution.
- To use SSH you need to deploy SSH Server and SSH Client program respectively.
- OpenSSH is a FREE version of the SSH.
- Telnet, rlogin, and ftp transmit unencrypted data over internet.
- OpenSSH encrypt data before sending it over insecure network like internet.
- OpenSSH effectively eliminate eavesdropping, connection hijacking, and other attacks.
- OpenSSH provides secure tunneling and several authentication methods.
- OpenSSH replace Telnet and rlogin with SSH, rcp with scp, ftp with sftp.
SSH Tools
For RHCE exam you should know following SSH tools
sshd
The daemon service that implements the ssh server. By default it must be listening on port 22 TCP/IP.
ssh
The ssh [ Secure Shell command ] is a secure way to log and execute commands in to SSH Server system.
scp
The Secure Copy command is a secure way to transfer files between computers using the private/public key encryption method.
ssh-keygen
This utility is used to create the public/private keys.
ssh-agent
This utility holds private keys used for RSA authentication.
ssh-add
Adds RSA identities to the authentication agent ssh-agent.
Labs exercises
- Configure a SSH server and SSH client on RHEL.
- Create two user user1 and user2 and verify that both users can login in SSH server from SSH client.
- Do not allow root and user1 users to login to it and allow the rest of users. To confirm it login from user2.
- Re-configure SSH Server to allow login only using public / private keys. Generate keys for user2 and verify that user2 can login using keys.
- Change default ssh port to 2223
In this tutorial I will use two systems Server and linuxclient from our LAB environment. I will configure OpenSSH Server on Server system and OpenSSH client on linuxclient system. If you want to check the network topology used in this article please check following article. Lab set up for RHEL practice.
LAB Exercise solutions
Configure a SSH server and SSH client on RHEL6.How to configure SSH Server in RHEL
Two RPM are required to configure and run OpenSSH server.
- openssh-server
- openssh
Before you start configuration make sure that you have necessary RPM packages installed. Install if any RPM is missing.
Check the current status of sshd service, it must be running. If service is stopped start it. Options you need with service command are start | stop | restart | status
Configure it to start when the system is booted
IP address of OpenSSH server is required, note it down
In RHCE exam you need to configure a firewall to either block or allow network communication through one or more ports. So if you have configured firewall then you have to allow SSH.
That all setting which we need on server.
How to configure SSH client on RHEL 6
openssh-clients rpm is required for ssh client.
Check necessary RPM, install if any missing
Check sshd service status it must be running. Start it if it is off
Configure sshd service to start to at boot time
Check connectivity from SSH server
That's all setting which we need on client system.
Create two user user1 and user2 and verify that both users can login in SSH server from SSH client.
Go on server and create two users user1 and user2
Open main configuration file sshd_config
Check the value of PasswordAuthentication directive. In order to accept local user password base authentication it must be set to yes. Set it to yes if it is set to no and save the file.
Restart the service if you have made any change in sshd_config
Go on linuxclient system and verify that both users can login in SSH server. Also verify from root user.
Do not allow root and user1 users to login to it and allow the rest of users. To confirm it login from user2.
User and Host Based Security
Following additional directives can be added to /etc/sshd/sshd_config file in order to make the ssh server more restrictive.
Block empty passwords
PermitEmptyPasswords no
Block root user to log on the system using ssh.
PermitRootLogin no
Limit the users allowed to access a system via SSH. In this case only users 'laxmi' and 'vinita' are allowed to login on the system using SSH
AllowUsers laxmi vinita
Make it more restrictive and add node address with user name. In following case only allow login through SSH users 'laxmi' and 'vinita' from 192.168.1.10 node.
AllowUsers [email protected] [email protected]
In addition you can restrict the access to users. In this case all users except 'user1' are allowed to connect to the SSH server.
DenyUsers user1
Go back on server and open main configuration file again
In the end of file add following directives and save the file
PermitRootLogin no DenyUsers user1
Restart the sshd service
Go back on linuxclient system and verify that we have blocked user1 and root. Also verify that user2 able to login in SSH server.
Re-configure SSH Server to allow login only using public / private keys. Generate keys for user2 and verify that user2 can login using keys.
To make Linux server more secure linux administrator usually disable password authentication on the SSH server and allow only public/private keys authentication.
Private Keys
Private keys are stored on server and must be secured. Anything encrypted with public key can only be decrypted with paired private key. So it must be accessible only to the user owner of that key, in the .ssh subdirectory of that user's home directory.
Public Keys
Public keys are publicly available. Public keys are required to connect with server. The public keys for SSH servers belong on administrative workstations.
Go back on server and open main configuration file again
Uncomment following directives and save the file
RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
Restart the sshd service
Login form user2 and create a ssh directory with permission 755
Come back on linuxclient system and create a normal user account user2.
Login form user2 and create a ssh directory with permission 755
Generate the public/private key pair. Accept default location for key file.
Enter passphrase 'I love linux' and confirm
Public key is stored in /home/user2/.ssh/id_rsa.pub. Create a copy of public key
Copy the authorized_keys file on server to /home/user2/.ssh/authorized_keys. Enter user2 [user account on server] password when asked
On server verify that we have successfully copied public key on server. Also set permission to 644 for authorized_keys
Login from root on server and open sshd_config file
Set PasswordAuthentication directive to no and save the file. This will block login using password.
Restart the sshd service
Come back on linuxclient system.
Logout from user2 and login back.
Now try to login from user2 on linuxclient. Enter passphrase 'I love linux'
Come on server and open sshd_config file again
Uncomment following directive and change value to 2223
#port 22
restart the sshd service
Go back on linuxclient system and try to connect with default port
Now specify the new port
SSH Configuration files
There are two different sets of configuration files
- System-wide SSH configuration :- stored in the /etc/ssh/ directory
- User-specific SSH configuration :- stored in ~/.ssh/ within the user's home directory
System-wide configuration files
File | Description |
/etc/ssh/ssh_config | The default SSH client configuration file. |
/etc/ssh/sshd_config | The configuration file for the sshd daemon. |
/etc/ssh/ssh_host_dsa_key | The DSA private key used by the sshd daemon. |
/etc/ssh/ssh_host_dsa_key.pub | The DSA public key used by the sshd daemon. |
/etc/ssh/ssh_host_key | The RSA private key used by the sshd daemon for version 1 of the SSH protocol. |
/etc/ssh/ssh_host_key.pub | The RSA public key used by the sshd daemon for version 1 of the SSH protocol. |
/etc/ssh/ssh_host_rsa_key | The RSA private key used by the sshd daemon for version 2 of the SSH protocol. |
/etc/ssh/ssh_host_rsa_key.pub | The RSA public key used by the sshd daemon for version 2 of the SSH protocol. |
User-specific configuration files
File | Description |
~/.ssh/authorized_keys | Holds a list of authorized public keys for servers. |
~/.ssh/id_dsa | Contains the DSA private key of the user. |
~/.ssh/id_dsa.pub | The DSA public key of the user. |
~/.ssh/id_rsa | The RSA private key used by ssh for version 2 of the SSH protocol. |
~/.ssh/id_rsa.pub | The RSA public key used by ssh for version 2 of the SSH protocol. |
~/.ssh/identity | The RSA private key used by ssh for version 1 of the SSH protocol. |
~/.ssh/identity.pub | The RSA public key used by ssh for version 1 of the SSH protocol. |
~/.ssh/known_hosts | Contains DSA host keys of SSH servers accessed by the user. |