These days ssh
login can be considered the de facto method for connecting to remote servers. It is reliable and secure but if it is configured improperly, it can be more of a liability than an asset. In this recipe will change a couple of parameters to secure ssh
and we will set up passwordless connections using public keys.
All the steps from this recipe will be performed on nodeorcl1
as the root user. The remote logins will be performed from nodeorcl5
.
All parameters that will be modified are located in the /etc/sshd_config
configuration file.
ssh
service. Therefore it will be a good idea to change the default ssh
port:Port 13120
PermitRootLogin no
ssh
will check for proper permissions in the user's home. Use strict mode:StrictModes yes
HostbasedAuthentication no
MaxStartups 10:50:10
AllowGroups logingrp
sshd
service:[root@nodeorcl1 ~]# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ]
sshd
daemon will listen on port 13120:[root@nodeorcl1 ~]# lsof -i -n | grep sshd sshd 14089 root 3u IPv6 55380 TCP *:13120 (LISTEN) [root@nodeorcl1 ~]#
nodeorcl5
to nodeorcl1
as root. Direct root log ins will be denied:[loguser1@nodeorcl5 ~]$ ssh -l root -p 13120 nodeorcl1 root@nodeorcl1's password: Permission denied, please try again. Permission denied (publickey,gssapi-with-mic).
After any change of configuration parameters, a daemon restart is needed. You can perform the restart in different ways, such as restarting the service or by sending a HUP
(kill -1
) signal to the sshd
daemon process.
Using key authentication instead of using passwords is probably one of the securest methods of authentication. This will suppress definitively any brute force attempt using passwords.
/etc/ssh/sshd_config
file and disable password authentication by modifying the following parameter:PasswordAuthentication no
RSAAuthentication yes PubkeyAuthentication yes
nodeorcl5
as the user loginuser1
, create a passphase protected public/private key:[loginuser1@nodeorcl5 ~]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/loginuser1/.ssh/id_rsa): Created directory '/home/loginuser1/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/loginuser1/.ssh/id_rsa. Your public key has been saved in /home/loginuser1/.ssh/id_rsa.pub. The key fingerprint is: 1b:a2:9f:d5:e8:77:08:1c:b5:6a:6a:29:3e:53:46:a5 loginuser1@nodeorcl5 The key's randomart image is: +--[ RSA 2048]----+ | | | . . | | o . . | | E . . | | ...So | | .o.== | | .o ++... | | +.++ o . | | ..=o .. . | +-----------------+
nodeorcl1
as follows:[loginuser1@nodeorcl5 ~]$ ssh-copy-id '–p 13120 -i .ssh/id_rsa.pub loguser1@nodeorcl1' The authenticity of host 'nodeorcl1 (10.241.132.218)' can't be established. RSA key fingerprint is 34:39:af:94:9a:2e:4b:f8:37:9c:af:27:67:1c:74:2b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'nodeorcl1,10.241.132.218' (RSA) to the list of known hosts. loguser1@nodeorcl1's password: Now try logging into the machine, with "ssh 'loguser1@nodeorcl1'", and check in: .ssh/authorized_keys To make sure we haven't added extra keys that you weren't expecting.
nodeorcl1
; you must type the passphrase entered during key creation:loguser1@nodeorcl2:~> ssh loguser1@nodeorcl1 Enter passphrase for key '/home/loguser1/.ssh/id_rsa': [loguser1@nodeorcl1 ~]$
sshd
service as follows:[root@nodeorcl1 ~]# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ]
3.139.105.159