Configuring and Securing OpenSSH Service

Overview
Goal To configure secure command-line access on remote systems using OpenSSH
Objectives
  • Log into a remote system using ssh to run commands from a shell prompt.
  • set up ssh to allow secure passowrd-free logins by using a private authentication key file.
  • Customize sshd configuration to restrict direct logins as root or to disable passowrd-based authentication.
Sections
  • Accessing the Remote Command Line with SSH (and Practice)
  • Configuring SSH key-based Authentication (and practice)
  • Customizing SSH Service Configuration (and Practice) 
Lab Configuring and Securing OpenSSH Service

 

Sections 1: Accessing the Remote Command Line with SSH

Question 1: What is the OpenSSH secure shell (SSH)?

 

Secure Shell Examples

[elewei@host ~]$ssh remotehost

elewei@remotehost's password:

 

[elewei@host ~]$w -f

The w command displays a list of users currently logged into the computer. 

 

SSH host keys

SSH secures communication through public-key encryption. When an ssh client connects to an SSH server, before the client logs in, the server sends it a copy of its public key. This is used to set up the secure encryption for the communication channel and to authenticate the server to the client.

 

The first time a user use ssh to connect to a particular server, the ssh command stores the server's public key in the user's ~/.ssh/known_hosts file.

 

Section 2: Configuring SSH key-based Authentication

Users can authenticate ssh logins without a password by using public key authentication. ssh allows users to authenticate using private-public key scheme. 

  • The private key file is used as the authentication credential, and like a password, must be kept secret andsecure.
  • The public key is copied to systems the user wants to log into, and is used to verify the private key.

 

Key generation is done using the ssh-keygen command. This generates the private key ~/.ssh/id_rsa and the public key ~/.ssh/id_rsa.pub

 

Once the SSH keys have been generated, they are stored by default in the .ssh/ directory of your home directory. permissions should be 600 on the private key and 644 on the public key.

 

Section 3: Customizing SSH Service Configuration

various aspects of the OpenSSH server can be modified in the configuration file /etc/ssh/sshd_config

 

Prohibit the root user from loggin in using SSH

The OpenSSH server has an internal configuration file setting to prohibit a system login as user root, which is commented out by default in the /etc/ssh/sshd_config file.

#PermitRootLogin yes

 

#PermitRootLogin no

 

[root@serverX ~]#systemctl restart sshd

Another option is to only allow key-based ssh login as root with:

PermitRootLogin without-password

 

Prohibit password authentication using SSH

There is an option in the /etc/ssh/sshd_config configuration file which turns on password authentication by deafult:

passwordAuthentication yes

 

passwordAuthentication no

 

[root@serverX ~]#systemctl restart sshd

 

posted @ 2015-08-23 22:30  elewei  阅读(241)  评论(0)    收藏  举报