Configure & Secure SSH Flashcards
What username will be prompted for a password when omiting username from the ssh command? (e.g. ssh hostname)
The current user’s username.
What CLI command will log you out of an ssh connection?
exit
What CLI command will initiate an ssh connection as username with host server.
ssh username@host
What CLI command will show the hostname of a remote server without accessing the remote interactive shell?
ssh username@host hostname
What Linux CLI command will list the currently logged in users along with the remote location they logged in from?
w -f
In what files (global and user) are the public keys for known hosts kept?
/etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts
With StrictHostKeyChecking enabled, what will happen if the public keys don’t match on ssh login?
ssh will abort the connection.
In what two ways can you enable Strict HostKeyChecking for ssh connections?
- Add
StrictHostKeyChecking=yesto~/.ssh/configor/etc/ssh/ssh_config - Add the option
-o StrictHostKeyChecking=yesto the ssh command
Red Hat recommends always enabling StrictHostKeyChecking.
What CLI command is used to display a host’s ssh public key?
ssh-keygen -lf /etc/ssh/filename.pub
How does Red Hat recommend sharing a hosts public key for use with ssh?
Use an out-of-band communication channel such as email, phone call, or video conference.
What three fields are contained in a hosts entry in the client’s known_hosts file?
- hostname or IP address
- Encryption algorythm used
- the public key
What must you do if ssh warns that a remote host’s identification has changed?
Manually modify the clients known_hosts file with the correct public key or IP address, or remove the host’s entry from the file and reconnect to obtain a new public key.
This warning is an indication of a possible malicious attack.
What CLI command will find and remove a host’s key entry from the known_hosts file?
ssh-keygen -R *remotehostname* -f filename(
~/.ssh/known_hostsor
/etc/ssh/ssh_known_hosts)
Wher does the
ssh-keygencommand save your public and private keys by default?
~/.ssh/id_rsaand
~/.ssh/id_rsa.pub
What CLi command will generate a key pair for ssh login?
ssh-keygen
Why is adding a passphrase to a key pair more secure than just using a password for ssh login?
A login password is sent in the clear to the remote computer for authentication, while the key pair’s passphrase is used locally to decrypt the private key before use.
What
ssh-keygenoption flag is used to specify the file name to store the key pair?
-f ~/.ssh/filename
What read and write permissions are the
ssh-keygengenerated key pair assigned by default?
- public key
-rw-------
or 600 - private key
-rw-r--r--
or 644
What CLI command is used to copy your public key to a remote host?
ssh-copy-id -i ~/.ssh/filename user@remotehost
Ommit “
-i ~/.ssh/filename” to copy the default public key
What does the
ssh-agentkey manager do?
Caches key pair passphrases for ssh login, which further limits passphrase exposure.
What CLI command is used to manually enable the ssh-agent key manager?
eval $(ssh-agent)
Must be manually started when logged in to a text environment
What CLI command is used to manually load your private key passphrase to the
ssh-agentkey manager?
ssh-addor
ssh-add ~/.ssh/filename
ssh-add without a filename will add the default id_rsa passphrase.
What
sshoption flag(s) would you use to help troubleshoot ssh login issues?
-v | -vv | -vvv
In what file are configuration options for a users ssh logins stored?
~/.ssh/config
What file is edited to configure sshd?
/etc/ssh/sshd_config
What setting in sshd_config do you edit to prohibit loging as root
PermitRootLogin no
What CLI command do you run to apply any changes to sshd_config
systemctl reload sshd
What setting in sshd_config do you edit to prohibit any password based authentication by ssh
PasswordAuthentication no
Make sure a public key has been shared with the host before changing.
