THE ADMIN's LAB : RHEL6

RHEL6–27-SSH

SSH:

SSH is a client/server protocol, which helps us to access the remote system over the network. The communication done via encrypted tunnel. Whenever client access the server, the client downloads the secure key from server and simultaneously server fetch the secure key from client. These keys make the secure encrypted tunnel between client/server for communication.

SSH is TCP based service, operating on port 22.

[root@rhel6-server ~]# cat /etc/services |grep -i ssh

ssh 22/tcp # The Secure Shell (SSH) Protoco l

ssh 22/udp # The Secure Shell (SSH) Protoco l

[root@rhel6-server ~]# rpm -qa |grep -i ssh

libssh2-1.4.2-1.el6.x86_64

openssh-5.3p1-84.1.el6.x86_64

openssh-askpass-5.3p1-84.1.el6.x86_64

openssh-clients-5.3p1-84.1.el6.x86_64

openssh-server-5.3p1-84.1.el6.x86_64

[root@rhel6-server ~]# rpm -qa |grep -i openssh

openssh-5.3p1-84.1.el6.x86_64

openssh-askpass-5.3p1-84.1.el6.x86_64

openssh-clients-5.3p1-84.1.el6.x86_64

openssh-server-5.3p1-84.1.el6.x86_64

[root@rhel6-server ~]# service sshd status

openssh-daemon (pid 2572) is running...

[root@rhel6-server ~]# ps -ef |grep -i ssh

root 2572 1 0 09:52 ? 00:00:00 /usr/sbin/sshd

root 11390 2572 0 16:33 ? 00:00:01 sshd: root@pts/3

root 13976 11396 0 19:08 pts/3 00:00:00 grep -i ssh

If not installed, then we can install it via

[root@rhel6-server ~]# yum install -y ssh*

To generate RSA key first time.

[root@rhel6-server ~]# ssh localhost

Main Config Dir,

[root@rhel6-server ~]# ls -l /etc/ssh

total 156

-rw-------. 1 root root 125811 Dec 13 2012 moduli

-rw-r--r--. 1 root root 2047 Dec 13 2012 ssh_config

-rw-------. 1 root root 3872 Dec 13 2012 sshd_config

-rw-------. 1 root root 668 Apr 10 09:21 ssh_host_dsa_key

-rw-r--r--. 1 root root 590 Apr 10 09:21 ssh_host_dsa_key.pub

-rw-------. 1 root root 963 Apr 10 09:21 ssh_host_key

-rw-r--r--. 1 root root 627 Apr 10 09:21 ssh_host_key.pub

-rw-------. 1 root root 1679 Apr 10 09:21 ssh_host_rsa_key

-rw-r--r--. 1 root root 382 Apr 10 09:21 ssh_host_rsa_key.pub

sshd_config è used to control global behavior

[root@rhel6-server ~]# ssh 192.168.234.200

The authenticity of host '192.168.234.200 (192.168.234.200)' can't be established.

RSA key fingerprint is 38:cc:4c:7b:bb:c8:3e:c7:04:7f:fb:af:0a:92:1f:61.

Are you sure you want to continue connecting (yes/no)? yes çç

Warning: Permanently added '192.168.234.200' (RSA) to the list of known hosts.

root@192.168.234.200's password:

Last login: Sat Apr 15 17:52:08 2017 from rhel6-server

[root@rhel6-test1 ~]# exit

logout

Connection to 192.168.234.200 closed.

RSA fingerprint of 192.168.234.200 is stored in .ssh/known_hosts of 192.168.234.146.

And simultaneously fingerprint 192.168.234.146 is stored at .ssh/known_hosts of 192.168.234.200.

.ssh directory is created/located at home dir of user.

HOW TO CONFIGURE PASSWORD-LESS SSH LOGIN FOR ROOT?

Generate RSA key pair for both systems, if both sides require password less login between each other.

[root@rhel6-server ~]# ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

c0:ad:87:71:99:2e:95:0d:8f:f8:9f:ad:1e:0c:a7:fa root@rhel6-server

The key's randomart image is:

+--[ RSA 2048]----+

| . |

| . o O |

| = O o |

| X |

| + S . |

| o * o |

| . = . |

| . o |

| ..E.o |

+-----------------+

[root@rhel6-server ~]# cd .ssh

[root@rhel6-server .ssh]# ls -ltr

total 12

-rw-r--r--. 1 root root 794 Apr 15 19:13 known_hosts

-rw-r--r--. 1 root root 399 Apr 15 19:19 id_rsa.pub

-rw-------. 1 root root 1675 Apr 15 19:19 id_rsa

I have 2 systems, “rhel6-server” and “rhel6-test1”

I want that “rhel6-server” will login to “rhel6-test1” without password.

For that I need to create a file named “authorized_keys” under the “/root/.ssh/” of “rhel6-test1”.

The file “authorized_keys” at “rhel6-test1” will contain the “id_rsa.pub” of “rhel6-server”.

[root@rhel6-server .ssh]# scp /root/.ssh/id_rsa.pub 192.168.234.200:/root/.ssh/authorized_keys

root@192.168.234.200's password:

id_rsa.pub 100% 399 0.4KB/s 00:00

Restart the sshd service at both ends.

[root@rhel6-server .ssh]# service sshd restart

Stopping sshd: [ OK ]

Starting sshd: [ OK ]

[root@rhel6-test1 ~]# service sshd restart

Stopping sshd: [ OK ]

Starting sshd: [ OK ]

[root@rhel6-server ~]# ssh 192.168.234.200

Last login: Sat Apr 15 19:30:47 2017 from rhel6-server

[root@rhel6-test1 ~]# hostname

rhel6-test1

[root@rhel6-test1 ~]# id

uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@rhel6-test1 ~]# exit

logout

Connection to 192.168.234.200 closed.

Good, means info of “rhel6-server” is given to “rhel6-test1”, that’s why “rhel6-test1” is allowing “rhel6-server” to login in it without password.

Reverse is not possible without password, means “rhel6-test1” can not do a password less login to “rhel6-server” unless the “id_rsa.pub” is provided to “rhel6-server”.

Well, let’s say “rhel6-test1” is server which contains some data required by other systems as well and they also want a password less login to it. In this case we can copy the content of “id_rsa.pub” of all servers to “authorized_keys” of “rhel6-test1”.

All entries should must be of one line, no extra/empty lines in between the entries.

SSH SECURITY:

[root@rhel6-test1 ~]# vi /etc/ssh/sshd_config

#PermitRootLogin yes (root can be disabled by saying “no” here)

#PasswordAuthentication yes (must be yes)

#AuthorizedKeysFile .ssh/authorized_keys (can change location here)

#PubkeyAuthentication yes (must be yes)

X11Forwarding yes (provide remote access to GUI tool)

#X11DisplayOffset 10 (Max no of allowed GUI sessions)

HOST BASED SSH SECURITY:

With help of “TCP-WRAPPERS”

[root@rhel6-test1 ~]# vi /etc/hosts.deny

sshd: 192.168.234.146 çç I want to block all requests from this host

[root@rhel6-test1 ~]# service sshd restart

Stopping sshd: [ OK ]

Starting sshd: [ OK ]

Now try from 192.168.234.146 (rhel6-server)

[root@rhel6-server ~]# ssh 192.168.234.200

ssh_exchange_identification: Connection closed by remote host

DEBUG THE POSSIBLE CAUSE FOR REFUSAL OF SSH:

TROUBLESHOOTING SSH:

[root@rhel6-server ~]# ssh -vvv 192.168.234.200

OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug2: ssh_connect: needpriv 0

debug1: Connecting to 192.168.234.200 [192.168.234.200] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/identity type -1

debug3: Not a RSA1 key file /root/.ssh/id_rsa.

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug3: key_read: missing keytype

debug3: key_read: missing whitespace

debug2: key_type_from_name: unknown key type '-----END'

debug3: key_read: missing keytype

debug1: identity file /root/.ssh/id_rsa type 1

debug1: identity file /root/.ssh/id_dsa type -1

ssh_exchange_identification: Connection closed by remote host

[root@rhel6-server ~]#

One more system has logged in to “rhel6-test1”

[root@rhel6-test1 ~]# who |grep 192.168.234.133

root pts/3 2017-04-16 16:42 (192.168.234.133)

let’s block this one also.

[root@rhel6-test1 ~]# vi /etc/hosts.deny

sshd: 192.168.234.146,192.168.234.133

bash-3.2# ssh 192.168.234.200

ssh_exchange_identification: Connection closed by remote host

bash-3.2# ssh -vvv 192.168.234.200

Sun_SSH_1.1.4, SSH protocols 1.5/2.0, OpenSSL 0x0090704f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: ssh_connect: needpriv 0

debug1: Connecting to 192.168.234.200 [192.168.234.200] port 22.

debug1: Connection established.

debug1: identity file /.ssh/identity type -1

debug1: identity file /.ssh/id_rsa type -1

debug1: identity file /.ssh/id_dsa type -1

debug1: Logging to host: 192.168.234.200

debug1: Local user: root Remote user: root

ssh_exchange_identification: Connection closed by remote host

debug1: Calling cleanup 0x807177a(0x0)

We can use wildcard “ALL” as well.

[root@rhel6-test1 ~]# vi /etc/hosts.deny

sshd: ALL

Every ssh request will be denied after that.

[root@rhel6-test1 ~]# vi /etc/hosts.deny

sshd: 192.168.234.134

Wildcards

We can use wildcards in the client section of the rule to broadly classify a set of hosts. These are the valid wildcards that can be used.

ALL - Matches everything

LOCAL - Matches any host that does not contain a dot (.) like localhost.

KNOWN - Matches any host where the hostname and host addresses are known or where the user is known.

UNKNOWN - Matches any host where the hostname or host address are unknown or where the user is unknown.

PARANOID - Matches any host where the hostname does not match the host address.

USER BASED SSH SECURITY:

[root@rhel6-test1 ~]# vi /etc/ssh/sshd_config

AllowUsers anurag raman ajay vikas

DenyUsers test1 user1 user2

DenyGroups testgroup1

[root@rhel6-test1 ~]# service sshd restart

Stopping sshd: [ OK ]

Starting sshd: [ OK ]

Let’s see the impact,

root@sol-test-1:>/#ssh 192.168.234.200

root@192.168.234.200's password:

Permission denied, please try again.

root@192.168.234.200's password:

Permission denied, please try again.

root@192.168.234.200's password:

I am providing correct password for user root, but unable to get access.

root@sol-test-1:>/#ssh -vvv 192.168.234.200

===============O/P REMOVED=============================

debug3: remaining preferred: ,password

debug3: authmethod_is_enabled password

debug1: Next authentication method: password

root@192.168.234.200's password: çç entered correct password

debug3: packet_send2: adding 64 (len 55 padlen 9 extra_pad 64)

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mi c,password

Permission denied, please try again.

root@192.168.234.200's password:

It means root is not allowed, why? Because user root is not entered in the list of “AllowUsers”

Let’s try one of the users from the list of “AllowUsers”

root@sol-test-1:>/#ssh raman@192.168.234.200

raman@192.168.234.200's password:

Last login: Sat Apr 15 17:40:08 2017 from rhel6-server

[raman@rhel6-test1 ~]$ hostname

rhel6-test1

[raman@rhel6-test1 ~]$ id

uid=501(raman) gid=501(raman) groups=501(raman) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[raman@rhel6-test1 ~]$

Conclusion:

If only “AllowUsers” is set then it will override everything and only the listed users will allowed to access.

If we need to block some users then it is always better to rely on “DenyUsers” directive. Only listed users will denied and rest can access.

Let’s try login via user “raman” from “rhel6-server i.e. 192.168.234.146”

[root@rhel6-server ~]# ssh raman@192.168.234.200

raman@192.168.234.200's password:

Permission denied, please try again.

raman@192.168.234.200's password:

What happen now?

I did some changes,

[root@rhel6-test1 ~]# vi /etc/ssh/sshd_config

AllowUsers anurag raman@192.168.234.133 ajay vikas

DenyUsers test1 user1 user2

DenyGroups testgroup1

Here I allowed user raman to access but only from 192.168.234.133

[root@rhel6-test1 ~]# service sshd restart

Stopping sshd: [ OK ]

Starting sshd: [ OK ]

HOW TO FORCE TO USE SSH PROTOCOL 2?

# vi /etc/ssh/sshd_config

Protocol 2

HOW TO SET IDLE TIME OUT IN SSH?

# vi /etc/ssh/sshd_config

ClientAliveInterval 600 # (Set to 600 seconds = 10 minutes)

ClientAliveCountMax 0

HOW TO DISABLE HOST BASED AUTHENTICATION?

# vi /etc/ssh/sshd_config

HostbasedAuthentication no

HOW TO DISABLE “.RHOSTS” FILE?

# vi /etc/ssh/sshd_config

IgnoreRhosts yes

HOW TO DISABLE SSH VIA EMPTY PASSWORD LOGIN?

# vi /etc/ssh/sshd_config

PermitEmptyPasswords no

HOW TO CONFIGURE AN INCREASE IN SSH LOGGING VERBOSITY?

# vi /etc/ssh/sshd_config

LogLevel DEBUG

WHERE I CAN FIND THE SSH LOGS?

[root@rhel6-test1 ~]# cat /var/log/secure

THE ADMIN's LAB

Sunday, 16 April 2017

RHEL6 – 27 - SSH

No comments:

Post a Comment

Labels

WAREHOUSE

Total Pageviews