Red Hat System Administration I
- SectionAccessing the Remote Command Line with SSH
- Guided Exercise: Accessing the Remote Command Line
- Configuring SSH Key-based Authentication
- Guided Exercise: Using SSH Key-based Authentication
- Customizing SSH Service Configuration
- Guided Exercise: Restricting SSH Logins
- Lab: Configuring and Securing OpenSSH Service
Abstract
| Goal | To configure secure command-line access on remote systems using OpenSSH. |
| Objectives |
|
| Sections |
|
| Lab |
|
The OpenSSH service is the standard software to securely access the remote command line.
Objective
After completing this section, students should be able to log into a remote system using ssh to run commands from a shell prompt.
What is the OpenSSH secure shell (SSH)?
The term OpenSSH refers to the software implementation of the Secure Shell software used in the system. The OpenSSH Secure Shell, ssh, is used to securely run a shell on a remote system. If you have a user account on a remote Linux system providing SSH services, ssh is the command normally used to remotely log into that system. The ssh command can also be used to run an individual command on a remote system.
Secure Shell examples
Here are some examples of ssh command syntax for remote login and remote execution:
Create a remote interactive shell as the current user, then return to your previous shell when done with the exit command.
[student@host ~]$ssh remotehoststudent@remotehost's password:[student@remotehost ~]$exitConnection to remotehost closed.[student@host ~]$Connect to a remote shell as a different user (remoteuser) on a selected host (remotehost):
[student@host ~]$ssh remoteuser@remotehostremoteuser@remotehost's password:[remoteuser@remotehost ~]$Execute a single command (hostname) on a remote host (remotehost) and as a remote user (remoteuser) in a way that returns the output to the local display:
[student@host ~]$ssh remoteuser@remotehost hostnameremoteuser@remotehost's password: remotehost.example.com[student@host ~]$
The w command displays a list of users currently logged into the computer. This is especially useful to show which users are logged in using ssh from which remote locations, and what they are doing.
[student@host ~]$w -fUSER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT student tty1 :0 Wed08 2days 1:52m 0.07s pam: gdm-passwo root tty6 - 12:33 4:14m 16.27s 15.74s -bash student pts/0 :0.0 Wed08 5:11 1.63s 1.60s /usr/bin/gnome- student pts/1 :0.0 Wed08 43:44 14.48s 13.81s vim hello.c student pts/3 :0.0 Wed14 0.00s 0.06s 0.06s w visitor pts/6 server2.example. 09:22 3:14 0.02s 0.02s -bash
In this example, user student logged in on virtual console 1 (tty1) through the graphical login (:0) at about 08:00 on Wednesday. User student currently has three pseudo-terminals open (pts/0, pts/1, and pts/3) started by the graphical environment;
these are almost certainly terminal windows. In one window, student is editing hello.c.
User root is logged in on virtual console 6, starting at 12:33 today. User visitor
logged in on pseudo-terminal 6 at 09:22 today from the host server2.example.com (note that the name has been truncated), probably using
ssh, and has been sitting idle at a shell prompt for three minutes and 14 seconds.
SSH host keys
SSH secures communication through public-key encryption. When an ssh client connects to an SSH server, before the client logs in, the server sends it a copy of its public key. This is used to set up the secure encryption for the communication channel and to authenticate the server to the client.
The
first time a user uses ssh to connect to a particular server, the ssh command stores the
server's public key in the user's ~/.ssh/known_hosts file. Every time the user connects
after that, the client makes sure it gets the same public key from the server by comparing the server's entry in the
~/.ssh/known_hosts file to the public key the server sent. If the keys do not
match, the client assumes that the network traffic is being hijacked or that the server has been compromised, and
breaks the connection.
This means that if a server's public key is changed (because the key was lost due to hard drive failure, or replaced
for some legitimate reason), users will need to update their ~/.ssh/known_hosts files and remove
the old entry in order to log in.
Host IDs are stored in
~/.ssh/known_hostson your local client system:$ cat ~/.ssh/known_hosts remotehost,192.168.0.101 ssh-rsa AAAAB3Nzac...Host keys are stored in
/etc/ssh/ssh_host_key*on the SSH server.$ ls /etc/ssh/*key* ssh_host_dsa_key ssh_host_key ssh_host_rsa_key ssh_host_dsa_key.pub ssh_host_key.pub ssh_host_rsa_key.pub
Note
An even better approach is to add entries matching a server's ssh_host_*key.pub files to
user ~/.ssh/known_hosts or the systemwide /etc/ssh/ssh_known_hosts
in advance when the public keys change. See ssh-copy-id(1) for an advanced way to manage
SSH keys.
References
Additional information may be available in the chapter on using the ssh utility in the Red Hat Enterprise Linux System Administrator's Guide for Red Hat Enterprise Linux 7, which can be found at https://access.redhat.com/documentation/
ssh(1), w(1), and hostname(1) man pages
