Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
3.2.2. Secure Shell
Secure Shell (SSH) is a powerful network protocol used to communicate with another system over a secure channel. The transmissions over
SSHare encrypted and protected from interception. Cryptographic login can also be utilized to provide a better authentication method over traditional user names and passwords. See Section 22.214.171.124, “Cryptographic Login”.
SSHis very easy to activate. By starting the
sshddaemon, the system begins to accept connections and will allow access to the system when a correct user name and password is provided during the connection process. The standard
TCPport for the
22. However, this can be changed by modifying the
/etc/ssh/sshd_configconfiguration file and restarting the service. This file also contains other configuration options for
By default, the
sshdservice starts automatically at boot time. Run the following command as
rootto query the status of the daemon:
service sshd status
If you need to restart the
sshdservice, issue the following command as
service sshd restart
Refer to the Services and Daemons chapter of the Red Hat Enterprise Linux 6 Deployment Guide for more information regarding the management of system services.
Secure Shell (SSH) also provides encrypted tunnels between computers but only using a single port. Port forwarding can be done over an
SSHtunnel and traffic will be encrypted as it passes through that tunnel, but using port forwarding is not as fluid as a VPN (Section 3.2.1, “Virtual Private Networks”).
126.96.36.199. Cryptographic Login
SSHsupports the use of cryptographic keys for logging in to computers. This is much more secure than using only a password. If you combine this method with other authentication methods, it can be considered a multi-factor authentication. See Section 188.8.131.52, “Multiple Authentication Methods” for more information about using multiple authentication methods.
In order to enable the use of cryptographic keys for authentication, the
PubkeyAuthenticationconfiguration directive in the
/etc/ssh/sshd_configfile needs to be set to
yes. Note that this is the default setting. Set the
noto disable the possibility of using passwords for logging in.
SSHkeys can be generated using the
ssh-keygencommand. If invoked without additional arguments, it creates a 2048-bit RSA key set. The keys are stored, by default, in the
~/.sshdirectory. You can utilize the
-bswitch to modify the bit-strength of the key. Using 2048-bit keys is normally sufficient. See the Generating Key Pairs chapter of the Red Hat Enterprise Linux 6 Deployment Guide for more detailed information about generating
You should see the two keys in your
~/.sshdirectory. If you accepted the defaults when running the
ssh-keygencommand, then the generated files are named
id_rsa.puband contain the private and public key respectively. You should always protect the private key from exposure by making it unreadable by anyone else but the file's owner. The public key, however, needs to be transferred to the system you are going to log in to. You can use the
ssh-copy-idcommand to transfer the key to the server:
~]$ ssh-copy-id -i [user@]server
This command will also automatically append the public key to the
~/.ssh/authorized_keyfile on the server. The
sshddaemon will check this file when you attempt to log in to the server.
Similarly to passwords and any other authentication mechanism, you should change your
SSHkeys regularly. When you do, make sure you remove any unused keys from the