Leaving presentation mode.

Configure and Secure SSH

Dennis Kibbe

Mesa Community College

Keyboard Shortcuts

This slide presentation was created by B6Plus. The audio accompanying this presentation is AI-generated.

Module Outline

Learning Objectives

After completing the work in this module you will be able to:

Access the Remote Command Line with SSH

Secure SHell (SSH) creates a secure connection over an insecure network using public key encryption. In this section you will learn how to log into a remote system and run commands.

Open Remote Connection

[student@workstation ~]$ ssh student@servera
student@servera's password:
...output omitted...
[student@servera ~]$
      

Since student has the same user name on servera the command can be shortened to ssh servera.

Close Remote Connection

[student@servera ~]$ exit
Connection to servera closed.
[student@workstation ~]$
      

Typing the exit command closes the connect and returns the user to the host where the connection was initiated.

Connect as a Different User

[student@workstation ~]$ ssh developer1@servera
developer1@servera's password:
...output omitted...
[developer1@servera ~]$
      

Run a Command Remotely

[student@workstation ~]$ ssh servera uptime
20:06:13 up 2 min, 0 users, load average: 0.18, 0.06, 0.02
[student@workstation ~]$
      

You can run a command without logging into the remote host by including the command after the host.

Identify Remote Logins

[developer1@servera ~]$ w
16:13:38 up 36 min, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
developer2 pts/0 172.25.250.10 16:13 -bash
developer1 pts/1 172.25.250.10 16:24 -w
[developer1@servera ~]$
      

Here the w command shows that there are two remote logins.

SSH Host Keys

The private key must not be shared.

To establish a SSH connection remote server sends a copy of its public key to the client before logging in. Public keys end in a .pub extension. The private key must not be shared.

SSH Known Hosts Key Management

[student@workstation ~]$ ls ~/.ssh/
config  known_hosts lab_rsa lab_rsa.pub
[student@workstation ~]$
      

Since student has previously logged into servera a copy of servera's public key will be in the known_hosts file in the ~/.ssh/ directory.

Strict Host Key Checking

If the StrictHostKeyChecking parameter is set to yes, then the ssh command always aborts the SSH connection if the public and private keys do not match. Otherwise ssh will ask for a password.

Guided Exercise

Access the Remote Command Line

Log into a remote system as different users and execute commands.

Configure SSH Key-based Authentication

Configure a user account to use key-based authentication to log in to remote systems securely without a password.

SSH Key Generation

Using keys to log into a remote host can be more secure that typing in a password. The ssh-keygen command generates a mathematically related key pair - a secret private key and a sharable public key with a .pub extension. The command suggests a default name but you can use a custom name if you want. Optionally, you can secure that private key with a passphrase for added security.

Listing the SSH Keys

[student@workstation ~]$ ls ~/.ssh/
config  id_rsa  id_rsa.pub  known_hosts lab_rsa lab_rsa.pub
[student@workstation ~]$
      

The newly generated key pair is placed in the hidden ~/.ssh/ directory in student's home directory.

Share the Public Key

Once the key pair is generated the public key is uploaded to the remote host using ssh-copy-id. The public key can be uploaded to multiple hosts or a new key pair with a different name can be generated for each hosts.

Key Manager

If needed start the agent.

[student@workstation ~]$ eval $(ssh-agent)
Agent pid 10155
      

The ssh-agent is started in the background.

Key Manager

Then add the key.

[student@workstation ~]$ ssh-add
Identity added: /home/student/.ssh/id_rsa
      

The ssh-agent command will cache keys for the duration of about 5 minutes.

Basic SSH Connection Troubleshooting

[user@host ~]$ ssh -v user@remotehost
OpenSSH_8.7p1, OpenSSL 3.0.1 14 Dec 2021 1
debug1: Reading config. data ssh_config 2
debug1: Reading config. data ssh_config.d/01-train.conf
      

Use the -v option to show the connection process in detail.

SSH Client Configuration

[dennisk@sahuaro ~]$ cat ~/.ssh/config
host sdf
  HostName                sdf.org
  User                    dennisk
  IdentityFile            ~/.ssh/id_rsa_sdf

host ec2
  HostName                54.232.200.77
  User                    ec2-user
  IdentyFile              ~/.ssh/id_rsa_ec2
     

A SSH config file containing information needed to log into remote hosts greatly simplies the process. In this example two hosts are listed, sdf and ec2 along with information needed to complete the connection.

Quick Login from config File

[dennisk@sahuaro ~]$ ssh ec2
     

Login can now be done with only the host name from the ~./ssh/config file.

Guided Exercise

Configure SSH Key-based Authentication

In this exercise, you configure a user to use key-based authentication for SSH. When asked to enter a passphrase just press the Enter key twice. No passphrase will be used in this lab unless asked for.

Customize OpenSSH Service Configuration

/etc/ssh/sshd_config

The /etc/ssh/sshd_config can be customized by uncommenting and changing default values.

Configure the OpenSSH Server

Prohibit Root Login

You can configure the service by editing the /etc/ssh/sshd_config file. Disable direct logins as root by uncommenting PermitRootLogin and changing prohibit-password to no.

Configure the OpenSSH Server

Prohibit Password-based Authentication

Disable password logins by uncommenting PasswordAuthentication and changing yes to no.

Prohibit Remote root Login

A best practices is to disable remote root logins in /etc/ssh/sshd_config.

Reload the SSH Daemon

[student@servera ~]$ sudo systemctl restart sshd.service
      

After changing /etc/ssh/sshd_config the service must be either restarted or reloaded.

Guided Exercise

Customize OpenSSH Service Configuration

In this exercise, you disable direct logins as root and disable password-based authentication for the OpenSSH service on one of your servers.

Summary

  1. OpenSSH is a suite of tools used to connect to remote hosts.
  2. Remote host identities are stored in /etc/ssh/known_hosts and .ssh/known_hosts.
  3. SSH can use password authentication or keys for added security and convenience.
  4. The private key must not be shared.
  5. Disabling root logins and password authentication are best practices.

Resources

Graded Lab

Configure and Secure SSH

In this lab, you set up key-based authentication for users, and disable direct login as root and password authentication for all users for the OpenSSH service on one of your servers.

Thanks for Watching

Thanks for watching. This is the end of the presentation.

Created on 17 February 2025 by Dennis Kibbe. Last modified on 9 June 2025 09:21:00 by DNK.