Chapter 1. SSH Security
1.1. Setting the Root Password on the Appliance
The Red Hat CloudForms Appliance is a virtual machine image that runs on a Red Hat Enterprise Linux-based operating system. This means users can access the base operating system through SSH. This is why it is advisable to change the default password. Continuing to use the default password leaves the Appliance vulnerable to any user attempting to gain root access.
Changing the root password on the appliance 'uses' the same process as changing any user password on a Linux-based system.
Access your appliance through SSH as the
rootuser:[user@localhost ~]$ ssh root@10.1.1.205
Substitute
10.1.1.205with the address of your appliance.Enter the
passwdcommand, which changes the password for the current user:[root@ ~]# passwd
Enter and Confirm and new password for the
rootuser.Changing password for user root. New password: ************ Confirm password: ************
- Log out of the appliance.
The Red Hat CloudForms Appliance now has a non-default root password. This prevents unauthorized access to your appliance through SSH.
1.2. Setting SSH Keys on the Appliance
Another recommended practice is to use SSH keys to access the appliance from a single machine. An SSH key provides access from one machine to another through the SSH protocol. The following procedure shows how to create an SSH key on your local machine and add it to the appliance.
Check the
.ssh/directory in your home directory for any existing key pairs:[user@localhost ~]$ ls ~/.ssh/
A key pair usually consists of two files. One file is the private key, which stays on your local machine, and the other is the public key, which you copy to another machine. But files are named the same except the public key ends with a
.pubextension.If a key pair already exists, you can use this key pair. Otherwise, use the next few steps to create your own.
On your local machine, start the key pair generation process using the
ssh-keygencommand:[user@localhost ~]$ ssh-keygen -t rsa
A prompt asks for the file and location to store these keys:
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Accept the default path if you do not have a
id_rsakey pair.Another prompt asks for a passphrase:
Enter passphrase (empty for no passphrase):
This encrypts the key pair with a password. This protects the key pair if it ever falls into the wrong hands. Alternatively, you can leave the passphrase empty, which provides an automatic login between your local machine and the remote machine.
The
ssh-keygencommand generates two files:- The private key - the default is /home/user/.ssh/id_rsa
The public key - the default is /home/user/.ssh/id_rsa.pub
Copy the public key to the appliance using the
ssh-copy-idcommand:[user@localhost ~]$ ssh-copy-id ~/.ssh/id_rsa.pub root@10.1.1.205
The command copies the public key to the appliance. You might receive a prompt for the password of the root user on the appliance.
Test the SSH key authentication:
[user@localhost ~]$ ssh root@10.1.1.205
This authenticates using the SSH key pair. If you entered a passphrase for the key, the command prompts you for the passphrase.
As an additional security measure, edit the
/etc/ssh/sshd_configon the appliance and modify the following parameter:PermitRootLogin without-password
This forces the
rootuser account to use certificates instead of passwords for SSH login. This means only your local system can access the appliance.
The appliance now restricts access to only a single machine using the SSH key.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.