Secure Shell (SSH) is a fundamental protocol for secure remote access and communication between systems. In this tutorial, we’ll cover everything you need to know about configuring SSH servers and clients, generating SSH keys, managing key permissions, distributing public keys, utilizing SSH-agent, and hardening SSH for enhanced security.
Install and Configure SSH Server
# dnf install openssh-server
Last metadata expiration check: 0:17:40 ago on Sat Feb 10 20:28:01 2024.
Package openssh-server-8.7p1-34.el9.x86_64 is already installed.To modify the system-wide sshd configuration, create a *.conf file (/etc/ssh/sshd_config.d) to customize settings such as port, authentication methods, and access controls,etc. For the purpose of this article we will touch on the general configuration file.
server2 ~]# grep -v '^#' /etc/ssh/sshd_config | grep -v ^$
Include /etc/ssh/sshd_config.d/*.conf
Port 2223
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 30s
PermitRootLogin prohibit-password
StrictModes yes
MaxAuthTries 3
AuthorizedKeysFile .ssh/authorized_keys
X11Forwarding no
PrintMotd yes
PrintLastLog yes
Subsystem sftp /usr/libexec/openssh/sftp-server
# Restart the service after doing changes.
server2 ~]# systemctl restart sshd
# And check status
server2 ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: enabled)
Active: active (running) since Sat 2024-02-10 21:05:50 CET; 5s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 1570 (sshd)
Tasks: 1 (limit: 11036)
Memory: 1.4M
CPU: 19ms
CGroup: /system.slice/sshd.service
└─1570 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
Feb 10 21:05:50 server2.lab.hackelarre.cc systemd[1]: Starting OpenSSH server daemon...
Feb 10 21:05:50 server2.lab.hackelarre.cc sshd[1570]: Server listening on 0.0.0.0 port 2223.
Feb 10 21:05:50 server2.lab.hackelarre.cc sshd[1570]: Server listening on :: port 2223.
Feb 10 21:05:50 server2.lab.hackelarre.cc systemd[1]: Started OpenSSH server daemon.
Remember that if you want to change the port on a SELinux system, you have to tell SELinux about this change. Remember also open firewalld port.
# semanage port -a -t ssh_port_t -p tcp 2223 #YOURPORTNUMBER
# firewall-cmd --add-port=2223/tcp --permanentConfiguring SSH Client
SSH client is typically pre-installed on most Linux distributions. Generate SSH key pair with or without passphrase depending on your needs.
# Generating SSH Keys. Follow prompts
[devops@vm1 ~]$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/devops/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/devops/.ssh/id_rsa
Your public key has been saved in /home/devops/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:fXuQam1a6wYE4kU7Bnw6CDG0qnQZRjI8GDXuKSSmeMU devops@vm1.lab.hackelarre.cc
The key's randomart image is:
+---[RSA 4096]----+
|+**o .... |
|.+== o.+. |
|.o++Eo =+. |
|*o.o+ +. o. . |
|=.+o .S.. + |
|oo. .+ o |
|. o.= . |
| . +.o |
| .oo |
+----[SHA256]-----+Ensure proper permissions for SSH key files.
[devops@vm1 ~]$ ls -ltr .ssh/
total 12
-rw-------. 1 devops devops 844 Feb 8 22:55 authorized_keys
-rw-r--r--. 1 devops devops 754 Feb 10 21:24 id_rsa.pub
-rw-------. 1 devops devops 3401 Feb 10 21:24 id_rsaIf they are not correct you can change them with the next execution.
chmod 600 ~/.ssh/id_rsa # Set permissions for private key
chmod 644 ~/.ssh/id_rsa.pub # Set permissions for public keyDistributing Public Keys
Copy public key to remote server for passwordless authentication.
[devops@vm1 ~]$ ssh-copy-id -p2223 server2.lab.hackelarre.cc
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/devops/.ssh/id_rsa.pub"
The authenticity of host '[server2.lab.hackelarre.cc]:2223 ([192.168.122.57]:2223)' can't be established.
ED25519 key fingerprint is SHA256:bfhfmTWh5IYMRw0COWn5ZPporrzujs8yJSukkUfNvpI.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
devops@server2.lab.hackelarre.cc's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '2223' 'server2.lab.hackelarre.cc'"
and check to make sure that only the key(s) you wanted were added.
# Check connection.
[devops@vm1 ~]$ ssh server2.lab.hackelarre.cc -p2223
Last login: Sat Feb 10 21:41:02 2024 from 192.168.122.189
Customize SSH client settings
Edit ~/.ssh/config file for host-specific configurations and aliases.
[devops@vm1 ~]$ vim .ssh/config
host server2
HostName server2.lab.hackelarre.cc
Port 2223
User devops
IdentityFile ~/.ssh/id_rsa
PubkeyAuthentication yesTips for Hardening SSH
- Disable root login and password authentication in SSH server configuration.
- Configure firewall rules to restrict SSH access to trusted IP addresses or networks.
- Enable two-factor authentication (2FA) for additional security.
- Use fail2ban for prevent bruteforce against ssh port.
- Periodically review SSH logs for suspicious activities and implement intrusion detection measures.
Conclusion
SSH is a critical tool for secure remote access and communication in Linux environments. By following this comprehensive guide, you’ll learn how to configure SSH servers and clients, generate and manage SSH keys, distribute public keys, utilize SSH-agent for passphrase management, and harden SSH for enhanced security. Implement these best practices to ensure secure and efficient remote access to your systems.