Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

12.2. Configuring OpenSSH

12.2.1. Configuration Files

There are two different sets of configuration files: those for client programs (that is, ssh, scp, and sftp), and those for the server (the sshd daemon).
System-wide SSH configuration information is stored in the /etc/ssh/ directory as described in Table 12.1, “System-wide configuration files”. User-specific SSH configuration information is stored in ~/.ssh/ within the user's home directory as described in Table 12.2, “User-specific configuration files”.

Table 12.1. System-wide configuration files

FileDescription
/etc/ssh/moduli Contains Diffie-Hellman groups used for the Diffie-Hellman key exchange which is critical for constructing a secure transport layer. When keys are exchanged at the beginning of an SSH session, a shared, secret value is created which cannot be determined by either party alone. This value is then used to provide host authentication.
/etc/ssh/ssh_config The default SSH client configuration file. Note that it is overridden by ~/.ssh/config if it exists.
/etc/ssh/sshd_config The configuration file for the sshd daemon.
/etc/ssh/ssh_host_ecdsa_key The ECDSA private key used by the sshd daemon.
/etc/ssh/ssh_host_ecdsa_key.pub The ECDSA public key used by the sshd daemon.
/etc/ssh/ssh_host_rsa_key The RSA private key used by the sshd daemon for version 2 of the SSH protocol.
/etc/ssh/ssh_host_rsa_key.pub The RSA public key used by the sshd daemon for version 2 of the SSH protocol.
/etc/pam.d/sshd The PAM configuration file for the sshd daemon.
/etc/sysconfig/sshd Configuration file for the sshd service.

Table 12.2. User-specific configuration files

FileDescription
~/.ssh/authorized_keys Holds a list of authorized public keys for servers. When the client connects to a server, the server authenticates the client by checking its signed public key stored within this file.
~/.ssh/id_ecdsa Contains the ECDSA private key of the user.
~/.ssh/id_ecdsa.pub The ECDSA public key of the user.
~/.ssh/id_rsa The RSA private key used by ssh for version 2 of the SSH protocol.
~/.ssh/id_rsa.pub The RSA public key used by ssh for version 2 of the SSH protocol.
~/.ssh/known_hosts Contains host keys of SSH servers accessed by the user. This file is very important for ensuring that the SSH client is connecting to the correct SSH server.

Warning

If setting up an SSH server, do not turn off the Privilege Separation feature by using the UsePrivilegeSeparation no directive in the /etc/ssh/sshd_config file. Turning off Privilege Separation disables many security features and exposes the server to potential security vulnerabilities and targeted attacks. For more information about UsePrivilegeSeparation, see the sshd_config(5) manual page or the What is the significance of UsePrivilegeSeparation directive in /etc/ssh/sshd_config file and how to test it ? Red Hat Knowledgebase article.
For information concerning various directives that can be used in the SSH configuration files, see the ssh_config(5) and sshd_config(5) manual pages.

12.2.2. Starting an OpenSSH Server

In order to run an OpenSSH server, you must have the openssh-server package installed. For more information on how to install new packages, see Section 9.2.4, “Installing Packages”.
To start the sshd daemon in the current session, type the following at a shell prompt as root: 
~]# systemctl start sshd.service
To stop the running sshd daemon in the current session, use the following command as root: 
~]# systemctl stop sshd.service
If you want the daemon to start automatically at boot time, type as root: 
~]# systemctl enable sshd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/sshd.service to /usr/lib/systemd/system/sshd.service.
The sshd daemon depends on the network.target target unit, which is sufficient for static configured network interfaces and for default ListenAddress 0.0.0.0 options. To specify different addresses in the ListenAddress directive and to use a slower dynamic network configuration, add dependency on the network-online.target target unit to the sshd.service unit file. To achieve this, create the /etc/systemd/system/sshd.service.d/local.conf file with the following options: 
  [Unit]
  Wants=network-online.target
  After=network-online.target
After this, reload the systemd manager configuration using the following command: 
~]# systemctl daemon-reload
For more information on how to manage system services in Red Hat Enterprise Linux, see Chapter 10, Managing Services with systemd.
Note that if you reinstall the system, a new set of identification keys will be created. As a result, clients who had connected to the system with any of the OpenSSH tools before the reinstall will see the following message: 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
To prevent this, you can backup the relevant files from the /etc/ssh/ directory. See Table 12.1, “System-wide configuration files” for a complete list, and restore the files whenever you reinstall the system.

12.2.3. Requiring SSH for Remote Connections

For SSH to be truly effective, using insecure connection protocols should be prohibited. Otherwise, a user's password may be protected using SSH for one session, only to be captured later while logging in using Telnet. Some services to disable include telnet, rsh, rlogin, and vsftpd.
For information on how to configure the vsftpd service, see Section 16.2, “FTP”. To learn how to manage system services in Red Hat Enterprise Linux 7, read Chapter 10, Managing Services with systemd.

12.2.4. Using Key-based Authentication

To improve the system security even further, generate SSH key pairs and then enforce key-based authentication by disabling password authentication. To do so, open the /etc/ssh/sshd_config configuration file in a text editor such as vi or nano, and change the PasswordAuthentication option as follows: 
PasswordAuthentication no
If you are working on a system other than a new default installation, check that PubkeyAuthentication no has not been set. If connected remotely, not using console or out-of-band access, testing the key-based log in process before disabling password authentication is advised.
To be able to use ssh, scp, or sftp to connect to the server from a client machine, generate an authorization key pair by following the steps below. Note that keys must be generated for each user separately.
To use key-based authentication with NFS-mounted home directories, enable the use_nfs_home_dirs SELinux boolean first: 
~]# setsebool -P use_nfs_home_dirs 1
Red Hat Enterprise Linux 7 uses SSH Protocol 2 and RSA keys by default (see Section 12.1.3, “Protocol Versions” for more information).

Important

If you complete the steps as root, only root will be able to use the keys.

Note

If you reinstall your system and want to keep previously generated key pairs, backup the ~/.ssh/ directory. After reinstalling, copy it back to your home directory. This process can be done for all users on your system, including root.

12.2.4.1. Generating Key Pairs

To generate an RSA key pair for version 2 of the SSH protocol, follow these steps:
  1. Generate an RSA key pair by typing the following at a shell prompt: 
    ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/USER/.ssh/id_rsa):
  2. Press Enter to confirm the default location, ~/.ssh/id_rsa, for the newly created key.
  3. Enter a passphrase, and confirm it by entering it again when prompted to do so. For security reasons, avoid using the same password as you use to log in to your account.
    After this, you will be presented with a message similar to this: 
    Your identification has been saved in /home/USER/.ssh/id_rsa.
Your public key has been saved in /home/USER/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:UNIgIT4wfhdQH/K7yqmjsbZnnyGDKiDviv492U5z78Y USER@penguin.example.com
The key's randomart image is:
+---[RSA 2048]----+
|o ..==o+.        |
|.+ . .=oo        |
| .o. ..o         |
|  ...  ..        |
|       .S        |
|o .     .        |
|o+ o .o+ ..      |
|+.++=o*.o .E     |
|BBBo+Bo.  oo     |
+----[SHA256]-----+

    Note

    To get an MD5 key fingerprint, which was the default fingerprint in previous versions, use the ssh-keygen command with the -E md5 option.
  4. By default, the permissions of the ~/.ssh/ directory are set to rwx------ or 700 expressed in octal notation. This is to ensure that only the USER can view the contents. If required, this can be confirmed with the following command: 
    ~]$ ls -ld ~/.ssh
drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/
  5. To copy the public key to a remote machine, issue a command in the following format: 
     ssh-copy-id user@hostname
    This will copy the most recently modified ~/.ssh/id*.pub public key if it is not yet installed. Alternatively, specify the public key's file name as follows: 
    ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname
    This will copy the content of ~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys file on the machine to which you want to connect. If the file already exists, the keys are appended to its end.
To generate an ECDSA key pair for version 2 of the SSH protocol, follow these steps:
  1. Generate an ECDSA key pair by typing the following at a shell prompt: 
    ~]$ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/USER/.ssh/id_ecdsa):
  2. Press Enter to confirm the default location, ~/.ssh/id_ecdsa, for the newly created key.
  3. Enter a passphrase, and confirm it by entering it again when prompted to do so. For security reasons, avoid using the same password as you use to log in to your account.
    After this, you will be presented with a message similar to this: 
    Your identification has been saved in /home/USER/.ssh/id_ecdsa.
Your public key has been saved in /home/USER/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:8BhZageKrLXM99z5f/AM9aPo/KAUd8ZZFPcPFWqK6+M USER@penguin.example.com
The key's randomart image is:
+---[ECDSA 256]---+
|      . .      +=|
| . . . =      o.o|
|  + . * .    o...|
| = . . *  . + +..|
|. + . . So o * ..|
|   . o . .+ =  ..|
|      o oo ..=. .|
|        ooo...+  |
|        .E++oo   |
+----[SHA256]-----+
  4. By default, the permissions of the ~/.ssh/ directory are set to rwx------ or 700 expressed in octal notation. This is to ensure that only the USER can view the contents. If required, this can be confirmed with the following command: 
    ~]$ ls -ld ~/.ssh
              ~]$ ls -ld ~/.ssh/
drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/
  5. To copy the public key to a remote machine, issue a command in the following format: 
    ssh-copy-id USER@hostname
    This will copy the most recently modified ~/.ssh/id*.pub public key if it is not yet installed. Alternatively, specify the public key's file name as follows: 
    ssh-copy-id -i ~/.ssh/id_ecdsa.pub USER@hostname
    This will copy the content of ~/.ssh/id_ecdsa.pub into the ~/.ssh/authorized_keys on the machine to which you want to connect. If the file already exists, the keys are appended to its end.
See Section 12.2.4.2, “Configuring ssh-agent” for information on how to set up your system to remember the passphrase.

Important

The private key is for your personal use only, and it is important that you never give it to anyone.

12.2.4.2. Configuring ssh-agent

To store your passphrase so that you do not have to enter it each time you initiate a connection with a remote machine, you can use the ssh-agent authentication agent. If you are running GNOME, you can configure it to prompt you for your passphrase whenever you log in and remember it during the whole session. Otherwise you can store the passphrase for a certain shell prompt.
To save your passphrase during your GNOME session, follow these steps:
  1. Make sure you have the openssh-askpass package installed. If not, see Section 9.2.4, “Installing Packages” for more information on how to install new packages in Red Hat Enterprise Linux.
  2. Press the Super key to enter the Activities Overview, type Startup Applications and then press Enter. The Startup Applications Preferences tool appears. The tab containing a list of available startup programs will be shown by default. The Super key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the Space bar.
    Startup Applications Preferences

    Figure 12.1. Startup Applications Preferences

  3. Click the Add button on the right, and enter /usr/bin/ssh-add in the Command field.
    Adding new application

    Figure 12.2. Adding new application

  4. Click Add and make sure the checkbox next to the newly added item is selected.
    Enabling the application

    Figure 12.3. Enabling the application

  5. Log out and then log back in. A dialog box will appear prompting you for your passphrase. From this point on, you should not be prompted for a password by ssh, scp, or sftp.
    Entering a passphrase

    Figure 12.4. Entering a passphrase

To save your passphrase for a certain shell prompt, use the following command: 
~]$ ssh-add
Enter passphrase for /home/USER/.ssh/id_rsa:
Note that when you log out, your passphrase will be forgotten. You must execute the command each time you log in to a virtual console or a terminal window.