How to Install and Configure OpenSSH Server In Linux

Being a network administrator requires a deep knowledge about remote login protocols such as rlogin, telnet and ssh. The one I will discuss in this article is ssh, a secure remote protocol which is used to work remotely on other machines or transfer data between computers using SCP (Secure Copy) command. But, what is OpenSSH and how to install it in your Linux distribution?

What is OpenSSH?

OpenSSH is a free open source set of computer tools used to provide secure and encrypted communication over a computer network by using the ssh protocol. Many people, new to computers and protocols, create a misconception about OpenSSH, they think it is a protocol, but it is not, it is a set of computer programs that use the ssh protocol.

OpenSSH is developed by the Open BSD group and it is released under Simplified BSD License. A main factor which has made possible for OpenSSH to be used so much among system administrators is its multi-platform capability and very useful nice features it has. The latest version is OpenSSH 6.4 which has been released onNovember 8, 2013.

This version of OpenSSH comes with many new features and patches, so if you already use OpenSSH for administering your machines, I suggest you to do an upgrade.

Why Use OpenSSH And Over Telnet Or Ftp?

  • Secure Communication
  • Strong Encryption (3DES, Blowfish, AES, Arcfour)
  • X11 Forwarding (encrypt X Window System traffic)
  • Port Forwarding (encrypted channels for legacy protocols)
  • Strong Authentication (Public Key, One-Time Password and Kerberos Authentication)
  • Agent Forwarding (Single-Sign-On)
  • Interoperability (Compliance with SSH 1.3, 1.5, and 2.0 protocol Standards)
  • SFTP client and server support in both SSH1 and SSH2 protocols.
  • Kerberos and AFS Ticket Passing
  • Data Compression

Installation of OpenSSH in Linux

On Ubuntu/Debian/Linux Mint

$ sudo apt-get install openssh-server openssh-client

On RHEL/Centos/Fedora

# yum -y install openssh-server openssh-clients

Configuration of OpenSSH

It’s time to configure our OpenSSH behaviour through the ssh config file, but before editing the/etc/ssh/sshd_config file we need to backup a copy of it, so in case we make any mistake we have the original copy.

Open a terminal and run the following command to make a copy of the original sshd configuration file.

$ sudo cp /etc/ssh/sshd_config  /etc/ssh/sshd_config.original_copy

As you can see from the command I typed, I added the original_copy suffix, so every time I see this file I know it is an original copy of the sshd config file.

SSH (Secure SHELL) is an open source and most trusted network protocol that is used to login into remote servers for execution of commands and programs. It is also used to transfer files from one computer to another computer over the network using secure copy (SCP) Protocol.

In this article we will show you how to setup password-less login on RHEL/CentOS 7.x/6.x/5.x and Fedora usingssh keys to connect to remote Linux servers without entering password. Using Password-less login with SSH keys will increase the trust between two Linux servers for easy file synchronization or transfer.

How To Configure SSH Key-Based Authentication on a Linux Server

Introduction

SSH, or secure shell, is an encrypted protocol used to administer and communicate with servers. When working with a Linux server, chances are, you will spend most of your time in a terminal session connected to your server through SSH.

While there are a few different ways of logging into an SSH server, in this guide, we’ll focus on setting up SSH keys. SSH keys provide an easy, yet extremely secure way of logging into your server. For this reason, this is the method we recommend for all users.

How Do SSH Keys Work?

  1. An SSH server can authenticate clients using a variety of different methods. The most basic of these is password authentication, which is easy to use, but not the most secure.
  2. Although passwords are sent to the server in a secure manner, they are generally not complex or long enough to be resistant to repeated, persistent attackers. Modern processing power combined with automated scripts make brute forcing a password-protected account very possible. Although there are other methods of adding additional security (fail2ban, etc.), SSH keys prove to be a reliable and secure alternative.
  3. SSH key pairs are two cryptographically secure keys that can be used to authenticate a client to an SSH server. Each key pair consists of a public key and a private key.
  4. The private key is retained by the client and should be kept absolutely secret. Any compromise of the private key will allow the attacker to log into servers that are configured with the associated public key without additional authentication. As an additional precaution, the key can be encrypted on disk with a passphrase.
  5. The associated public key can be shared freely without any negative consequences. The public key can be used to encrypt messages that only the private key can decrypt. This property is employed as a way of authenticating using the key pair.
  6. The public key is uploaded to a remote server that you want to be able to log into with SSH. The key is added to a special file within the user account you will be logging into called ~/.ssh/authorized_keys.
  7. When a client attempts to authenticate using SSH keys, the server can test the client on whether they are in possession of the private key. If the client can prove that it owns the private key, a shell session is spawned or the requested command is executed.

An overview of the flow of SSH:

This shows a laptop connecting to a server, but it could just as easily be one server connecting to another server.

Create Authentication SSH-Kegen Keys on – (192.168.0.12)

First login into server 192.168.0.12 with user tecmint and generate a pair of public keys using following command.

[test@test ~]$ ssh-keygen -t rsa
 Generating public/private rsa key pair.
Enter file in which to save the key (/home/test/.ssh/id_rsa): [Press enter key]
Created directory '/home/test/.ssh'.
Enter passphrase (empty for no passphrase): [Press enter key]
Enter same passphrase again: [Press enter key]
Your identification has been saved in /home/test/.ssh/id_rsa.
Your public key has been saved in /home/test/.ssh/id_rsa.pub.
The key fingerprint is:
5f:ad:40:00:8a:d1:9b:99:b3:b0:f8:08:99:c3:ed:d3 test@test

 

Create .ssh Directory on – 192.168.0.11

Use SSH from server 192.168.0.12 to connect server 192.168.0.11 using sheena as user and create .sshdirectory under it, using following command.

[test@test ~]$ ssh satya@192.168.0.11 mkdir -p .ssh
The authenticity of host '192.168.0.11 (192.168.0.11)' can't be established.
RSA key fingerprint is 45:0e:28:11:d6:81:62:16:04:3f:db:38:02:la:22:4e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.11' (ECDSA) to the list of known hosts.
satya@192.168.0.11's password: [Enter Your Password Here]

Upload Generated Public Keys to – 192.168.0.11

Use SSH from server 192.168.0.12 and upload new generated public key (id_rsa.pub) on server 192.168.0.11under satya‘s .ssh directory as a file name authorized_keys.

[test@test ~]$ cat .ssh/id_rsa.pub | ssh satya@192.168.0.11 'cat >> .ssh/authorized_keys'
satya@192.168.1.2's password: [Enter Your Password Here]

Set Permissions on – 192.168.0.11

Due to different SSH versions on servers, we need to set permissions on .ssh directory and authorized_keys file.

[test@test ~]$ ssh satya@192.168.0.11 "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"
satya@192.168.0.11's password: [Enter Your Password Here]

Login from 192.168.0.12 to 192.168.0.11 Server without Password

From now onwards you can log into 192.168.0.11 as satya user from server 192.168.0.12 as test user without password.

[test@test ~]$ ssh satya@192.168.0.11
  • Configure key-based SSH authentication.
  • Configure additional SSH options described in documentation.

As a Linux administrator you should know

  • SSH stand for Secure Shell.
  • SSH is a network protocol for secure data communication.
  • SSH protocol allows remote command line login.
  • SSH protocol enables remote command execution.
  • To use SSH you need to deploy SSH Server and SSH Client program respectively.
  • OpenSSH is a FREE version of the SSH.
  • Telnet, rlogin, and ftp transmit unencrypted data over internet.
  • OpenSSH encrypt data before sending it over insecure network like internet.
  • OpenSSH effectively eliminate eavesdropping, connection hijacking, and other attacks.
  • OpenSSH provides secure tunneling and several authentication methods.
  • OpenSSH replace Telnet and rlogin with SSH, rcp with scp, ftp with sftp.

sshd

The daemon service that implements the ssh server. By default it must be listening on port 22 TCP/IP.

ssh

The ssh [ Secure Shell command ] is a secure way to log and execute commands in to SSH Server system.

scp

The Secure Copy command is a secure way to transfer files between computers using the private/public key encryption method.

ssh-keygen

This utility is used to create the public/private keys.

ssh-agent

This utility holds private keys used for RSA authentication.

ssh-add

Adds RSA identities to the authentication agent ssh-agent.

How to configure SSH Server in RHEL6

Two RPM are required to configure and run OpenSSH server.

  • openssh-server
  • openssh

Before you start configuration make sure that you have necessary RPM packages installed. Install if any RPM is missing.

Check the current status of sshd service, it must be running. If service is stopped start it. Options you need with service command are start |stop | restart | status

Configure it to start when the system is booted

IP address of OpenSSH server is required, note it down

In RHCE exam you need to configure a firewall to either block or allow network communication through one or more ports. So if you have configured firewall then you have to allow SSH.

That all setting which we need on server.

How to configure SSH client on RHEL 6

openssh-clients rpm is required for ssh client.

Check necessary RPM, install if any missing

Check sshd service status it must be running. Start it if it is off

Configure sshd service to start to at boot time

Check connectivity from SSH server

That’s all setting which we need on client system.

Create two user user1 and user2 and verify that both users can login in SSH server from SSH client.

Go on server and create two users user1 and user2

Open main configuration file sshd_config

Check the value of Password Authentication directive. In order to accept local user password base authentication it must be set to yes. Set it to yes if it is set to no and save the file.

Restart the service if you have made any change in sshd_config

Go on linux client system and verify that both users can login in SSH server. Also verify from root user.

Do not allow root and user1 users to login to it and allow the rest of users. To confirm it login from user2.

User and Host Based Security

Following additional directives can be added to /etc/sshd/sshd_config file in order to make the ssh server more restrictive.

Block empty passwords

PermitEmptyPasswords no

Block root user to log on the system using ssh.

PermitRootLogin no

Limit the users allowed to access a system via SSH. In this case only users ‘laxmi’ and ‘vinita’ are allowed to login on the system using SSH

AllowUsers laxmi vinita

Make it more restrictive and add node address with user name. In following case only allow login through SSH users ‘laxmi’ and ‘vinita’ from 192.168.1.10 node.

AllowUsers laxmi@192.168.1.10 vinita@192.168.1.10

In addition you can restrict the access to users. In this case all users except ‘user1’ are allowed to connect to the SSH server.

DenyUsers user1

Go back on server and open main configuration file again

In the end of file add following directives and save the file

PermitRootLogin no

DenyUsers user1

Restart the sshd service

Go back on linux client system and verify that we have blocked user1 and root. Also verify that user2 able to login in SSH server.

Re-configure SSH Server to allow login only using public / private keys. Generate keys for user2 and verify that user2 can login using keys.

To make Linux server more secure linux administrator usually disable password authentication on the SSH server and allow only public/private keys authentication.

Private Keys

Private keys are stored on server and must be secured. Anything encrypted with public key can only be decrypted with paired private key. So it must be accessible only to the user owner of that key, in the .ssh subdirectory of that user’s home directory.

Public Keys

Public keys are publicly available. Public keys are required to connect with server. The public keys for SSH servers belong on administrative workstations.

Go back on server and open main configuration file again

Uncomment following directives and save the file

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

Restart the sshd service

Login form user2 and create a ssh directory with permission 755

Come back on linuxclient system and create a normal user account user2.

Login form user2 and create a ssh directory with permission 755

Generate the public/private key pair. Accept default location for key file.

Enter passphrase ‘I love linux’ and confirm

Public key is stored in /home/user2/.ssh/id_rsa.pub. Create a copy of public key

Copy the authorized_keys file on server to /home/user2/.ssh/authorized_keys. Enter user2 [user account on server] password when asked

On server verify that we have successfully copied public key on server. Also set permission to 644 for authorized_keys

Login from root on server and open sshd_config file

Set Password Authentication directive to no and save the file. This will block login using password.

Restart the sshd service

Come back on linux client system.

Logout from user2 and login back.

Now try to login from user2 on linux client. Enter passphrase ‘I love linux’

Change default ssh port to 2223

Come on server and open sshd_config file again

Uncomment following directive and change value to 2223

#port 22

restart the sshd service

Go back on linux client system and try to connect with default port

Now specify the new port

SSH Configuration files

There are two different sets of configuration files

  • System-wide SSH configuration :- stored in the /etc/ssh/ directory
  • User-specific SSH configuration :- stored in ~/.ssh/ within the user’s home directory

 

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: