SSH Flashcards

1
Q

Configure key-based authentication

A

Configure key-based authentication

1. On the server1, create a user user01 with password user01:
#useradd user01
#passwd user01
2. On the server2, create the same user with password user01:
#useradd user01
#passwd user01
3. On the server1, connect as this new user:
#su - user01
  1. Generate a private/public pair for key-based authentication (here rsa key with 2048 bits and no passphrase):
    $ ssh-keygen -b 2048 -t rsa
  2. Send the key to the server2 machine:
    $ ssh-copy-id -i .ssh/id_rsa.pub user01@server2.example.com
    The authenticity of host ‘server2.example.com (192.168.1.20)’ can’t be established.
    RSA key fingerprint is 82:62:75:f9:80:06:58:91:ec:71:12:c1:4c:ce:d9:9b.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added ‘server2.example.com,192.168.1.20’ (RSA) to the list of known hosts.
    user01@server2.example.com’s password:
  3. Now try logging into the machine, with “ssh ‘user01@server2.example.com’”, and check in:
    .ssh/authorized_keys
  4. to make sure we haven’t added extra keys that you weren’t expecting.
    On the server2, edit the /etc/ssh/sshd_config file and set the following options:
    PasswordAuthentication no
    PubkeyAuthentication yes
8. Restart the sshd service:
#service sshd restart
  1. On the server1 as user01, connect to the server2:
    $ ssh server2.example.com
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Configure additional options described in documentation

A
1. Install the SSH service if it's not already installed:
#yum install -y openssh-server
2. Activate the SSH service at boot:
#chkconfig sshd on
3. Configure SELinux to support the service
#getsebool -a | grep ssh
4. Start the SSH service:
#service sshd start
5. Add a new rule to the firewall:
#iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
6. Save the firewall configuration
#service iptables save
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

/etc/ssh/sshd_config content

A

Port 22 # defines listening port for ssh
AddressFamily any # accepts IPv4 et IPv6 addresses
ListenAddress 0.0.0.0 # allows ssh to listen on all network interfaces
ListenAddress :: # listens on IPv6 addresses too
Protocol 2 # defines version of ssh (version 1 is not used anymore)
SyslogFacility AUTHPRIV # stores logging attempts in /var/log/secure (see rsyslog.conf file)
LoginGraceTime 2m # sets the time to connect
PermitRootLogin yes # allows direct login as root: outside lab, this option should be set to ‘no’
StrictModes yes # allows connection only if the user’s home directory is not world-writable
MaxAuthTries 6 # defines the number of authentication attempts allowed
MaxSessions 10 # defines the limit of simultaneous open connections
PubKeyAuthentication yes # enables public key authentication
AuthorizedKeysFile .ssh/authorized_keys # defines the location of the authorized-keys file
HostbasedAuthentication no # forbids the use of /etc/hosts.equiv
IgnoreUserKnownHosts no # reads the .ssh/known_hosts at each connection
IgnoreRhosts yes # doesn’t read user’s ~/.rhosts file
PasswordAuthentication yes # sets password-based authentication
PermitEmptyPasswords no # doesn’t allow empty passwords (hopefully!)
ChallengeResponseAuthentication no # forbids use of one-time passwords
UsePAM yes # enables the Pluggable Authentication Module interface
AllowAgentForwarding yes # allows the ssh-agent to forward private keys
AllowTCPForwarding yes # allows TCP communications to be forwarded
GatewayPorts no # prevents remote hosts from connecting to ports forwarded for the client
X11Forwarding yes # enables X11 forwarding
X11DisplayOffset 10 # limits the number of GUI display open at the same time
X11UseLocalhost yes # defines how the GUI display is bound to the SSH server
PrintMotd yes # displays the message of the day
PrintLastLog yes # displays the date of the last login
TCPKeepAlive yes # allows the system to send TCP keepalive messages
UseLogin no # specifies whether login is used for interactive login session
UsePrivilegeSeparation yes # separates incoming network traffic processing from the rest
PermitUserEnvironment no # doesn’t deal with environment options
Compression delayed # specifies that compression is delayed until user authentication
ClientAliveInterval 0 # doesn’t send any message before client deconnection
ClientAliveCountMax 3 # defines the number of messages before client deconnection
- # if ClientAliveInterval is different from 0
UseDNS yes # checks remote hostnames against DNS
PidFile /var/run/sshd.pid # defines the file where the SSH process ID is stored
MaxStartups 10 # defines the number of terminals simultaneously allowed
PermitTunnel no # doesn’t support device forwarding
ChrootDirectory none # disables the use of chroot
Subsystem sftp /usr/libexec/openssh/sftp-server # supports the use of SSH encryption for SFTP file transfers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly