How To Secure And Configure SSH Service In Linux?

OpenSSH is a free open source set of computer tools used to provide secure and encrypted communication over a computer network by using the SSH protocol. It is a set of computer programs that use the ssh protocol.

SSH stand for Secure Shell, it is used to connect to a remote computer securely. Compare to Telnet, SSH is secure wherein the client and server connection is authenticated using a digital certificate and passwords are encrypted. Hence, It’s widely used by system administrator to control remote Linux servers.it is a protocol which allows users to connect to a remote system using a client-server architecture.

Installing SSH:

To install OpenSSh you need openssh, openssh-server and openssh-clients packages. The openssh package requires openssl-libs to be installed on the system its provide very important cryptography libraries.

To install OpenSSh install                                                
[root@asim ~]# yum install openssh*
Or
[root@asim ~]#yum install openssh-server
[root@asim ~]#yum install openssh-clients
[root@asim ~]#yum install openssh-libs
Configure file for sshd
[root@asim ~]# cat /etc/ssh/sshd_config
Make a copy of the original configuration  file before doing any changes
[root@asim ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
To view and edit the ssh configuration file
[root@asim ~]# vim /etc/ssh/sshd_config
To restart the ssh service [root@asim ~]# systemctl restart sshd
To start the ssh service [root@asim ~]# systemctl start sshd
To check status of ssh [root@asim ~]# systemctl status sshd
To test SSH local session
[root@asim ~]# ssh root@localhost
The authenticity of host ‘localhost (::1)’ can’t be established.
PByUg4YXM8DKbWpRmDQlNqVdKYvm1HmbxGTo23zEeAs
ECDSA key fingerprint is SHA256:.
ECDSA key fingerprint is MD5:e1:ec:7a:d9:a6:79:f9:4f:78:96:c7:91:83:71:78:dc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘localhost’ (ECDSA) to the list of known hosts.
root@localhost’s password:
Last login: Sun Jun 30 08:08:19 2019
To login through SSH using default port
[root@asim ~]# ssh [email protected]
The authenticity of host ‘192.168.122.1 (192.168.122.1)’ can’t be established.
ECDSA key fingerprint is SHA256:PByUg4YXM8DKbWpRmDQlNqVdKYvm1HmbxGTo23zEeAs.
ECDSA key fingerprint is MD5:e1:ec:7a:d9:a6:79:f9:4f:78:96:c7:91:83:71:78:dc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.122.1’ (ECDSA) to the list of known hosts.
[email protected]’s password:
Last login: Thu Jun 13 10:36:19 2019
SSH Key-Based Authentication:

User can authenticate ssh logins without a password by using public key authentication. SSH key pairs are two cryptographically secure keys that can be used to authenticate a client to an SSH server. Each key pair consists of a public key and a private key. The private key is retained by the client and should be kept absolutely, secret. The associated public key can be shared freely. The public key can b used to encrypt messages that only the private key can decrypt. The public key is uploaded to a remote server that you want to be able to log into with SSH. When a client attempts to authentication using SSH keys, the server can test the client on whether they are in possession of the private key. If the client can prove it owns the private key, a shell session is release and the command is executed.

Generate a SSH key pair on local system

Generating public/private rsa key pair.
Enter file in which to save the key (/home/cms/.ssh/id_rsa): 
Created directory ‘/home/cms/.ssh’.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/cms/.ssh/id_rsa.
Your public key has been saved in /home/cms/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:OQbjIz/JrA5kf6oM85vAjXYAetLPCYq0YEug+U/XKAw [email protected]
The key’s randomart image is:
+—[RSA 2048]—-+
|                 |
|             |
|o     o          |
|=o   . o .       |
|*=E . o S        |
|BB*B * * .       |
|**ooO X .        |
|.*.= * .         |
|  *+=            |
+—-[SHA256]—–+
Default location of key  pairs user
[cms@asim ~]$ cd ~/.ssh [cms@asim .ssh]$
Private key in user home directory
[cms@asim .ssh]$ cat id_rsa
Public key in user home   directory
[cms@asim .ssh]$ cat id_rsa.pub
Copying your public key to remote system
[cms@asim .ssh]$ cp id_rsa.pub cms1@remote_host @remote_host or @ remote host ip address
Connecting to remote system
[cms@asim .ssh]$ ssh cm1s@remote_host
To restart the ssh service
[root@asim ~]# systemctl restart sshd
To start the ssh service
[root@asim ~]# systemctl start sshd
To check the status of ssh service
[root@asim ~]# systemctl status sshd
Uncomment password authentication and set
passwordAuthentication no       -Value no to disable password authentication
pubkeyAuthentication yes          -Uncomment enable public key
authentication
PermitRootLogin Yes                     -Uncomment to permit root for ssh
[root@asim ~]# vim /etc/ssh/sshd_config
To restart the ssh service
[root@asim ~]# systemctl restart sshd
To start the ssh service
[root@asim ~]# systemctl start sshd
To check the status of ssh service
[root@asim ~]# systemctl status sshd

Leave a Reply

Your email address will not be published.