We are going to configure a key-based SSH authentication, and allow sshd to bind to a non-default SSH port.
The Lab
We have a couple of RHEL 7.0 servers, srv1 and srv2. SELinux is set to enforcing mode.
Configure Key-based SSH Authentication
On the server srv1, create a new user sandy:
# useradd -m -s /bin/bash sandy # passwd sandy # su - sandy
As the user sandy, create a new SSH key and copy it to the server srv2:
$ ssh-keygen -b 2048 -t rsa $ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
Public key authentication should be available by default, we can test:
$ ssh [email protected]
Configure Alternative SSH Ports
We are going to add TCP port 2200 to the SSH server.
On the server srv2, open the file /etc/ssh/sshd_config for editing, and add the following lines:
Port 22 Port 2200
Configure firewall to allow access on TCP port 2200:
# firewall-cmd --permanent --add-port=2200/tcp # firewall-cmd --reload
Configure SELinux to allow sshd to listen on TCP port 2200:
# semanage port -a -t ssh_port_t 2200 -p tcp
Restart sshd service:
# systemctl restart sshd
Test form the server srv1:
$ ssh [email protected] -p2200
Tweak SSH Server Configuration
We want to allow user sandy to login, but deny user dev1 and group devops:
AllowUsers sandy DenyUsers dev DenyGroups devops
Note that the allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups and finally AllowGroups.
Tell SSH server to not look up the remote hostname. This may result in a significant perforance boost if client connections are slow.
UseDNS no
Set the maximum number of sessions that can be opened from one IP address simultaneously to 3:
MaxSessions 3
Send a packet to the client if no activity has been detected for 300 seconds, and do so 4 times:
ClientAliveInterval 300 ClientAliveCountMax 4
Unresponsive clients will be disconnected after approximately 20 minutes. These options apply to protocol version 2 only.
Kerberos based authentication should be disabled:
GSSAPIAuthentication no
Close TCP socket after 3 invalid login attempts:
MaxAuthTries 3
Permit passwordless root login:
PermitRootLogin without-password
Ensure that password and key-based authentications are enabled, and that empty passwords are not allowed:
PasswordAuthentication yes PubkeyAuthentication yes PermitEmptyPasswords no
Restart the service:
# systemctl restart sshd
Check the man page of sshd_config for more info.
I’m practicing using you sample Exam for RHCE7. Your instruction is easy to follow. Thanks
Under SSH configuration – “Client ipa.rhce.local must not have access to SSH at all” –
To accomplish this, we just add an entry in /etc/hosts.deny “sshd: ipa.rhce.local ” or “sshd: ? Please advise.
I don’t use TCP Wrappers I’m afraid as I prefer firewall rules – one place to manage access.
sshd: ipa.rhce.local to hosts.deny works well.
With HTTP service it does not and I use firewalld rich-rule
Yeah, same here, TCP Wrapper didn’t work with HTTP on RHEL 7.
Is SSH port forwarding configuration an exam objective?
Port forwarding is an exam objective.
I mean port forwarding by means of SSH – SSH tunneling
I think it is.
I am using centos 7.0 .
I am facing this issue with sshd. sshd stops works out of nothing .its works with the default config.
# systemctl status sshd
sshd.service – OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
Active: active (running) since Wed 2017-11-01 09:25:43 EDT; 25min ago
Process: 1991 ExecStartPre=/usr/sbin/sshd-keygen (code=exited, status=0/SUCCESS)
Main PID: 2196 (sshd)
CGroup: /system.slice/sshd.service
└─2196 /usr/sbin/sshd -D
Nov 01 09:25:43 ipa.example.local systemd[1]: Started OpenSSH server daemon.
Nov 01 09:25:47 ipa.example.local sshd[2196]: key_parse_private_pem: RSA_blinding_on failed
Nov 01 09:25:48 ipa.example.local sshd[2196]: Could not load host key: /etc/ssh/ssh_host_rsa_key
Nov 01 09:25:51 ipa.example.local sshd[2196]: Server listening on 0.0.0.0 port 22.
Nov 01 09:25:51 ipa.example.local sshd[2196]: Server listening on :: port 22.
Nov 01 09:51:07 ipa.example.local sshd[6371]: error: key_parse_private_pem: RSA_blinding_on failed
Nov 01 09:51:07 ipa.example.local sshd[6371]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key
I am using cloned copies in vmware.
You need to fix the following:
Thanks Tomas,
I have searched over net for the solution . and then i have posted here.
none of the solution did work for me .
1) removed ssh and installed it again
2) removed keys . and tried to generate again
3) it gives selinux errors, but it does not work here.
Selinux error:
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sshd-keygen /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Please direct me to correct solution.
You have to fix SELinux issues then. Generate a local policy module and see if this resolves the problem.
Hi,
How can I allow ssh access for IPA users? When I try to connect ssh alice@ I get permission denied. User alice is IPA user. But if I use local user I have access.
Try setting
GSSAPIAuthentication yes, this will allow users to log in with kerberos credentials.Hi,
I am trying to setting up ssh session time out on rhel8.7.
ClientAliveInterval 15
ClientAliveCountMax 3
This does not seem to work.
Can you verify if these settings works the same in rhel8.6 and rhel8.7 onwards
Hi, they should do.