Saturday 16 July 2011

SSH -- Configure key-based authentication

This is actually a fairly simple objective. The default configuration is to accept key-based authentication, note this line on the /etc/ssh/sshd_config file:
#PubkeyAuthentication yes
Although the line is commented out, this is actually the default and as such does no need to be explicitly stated, if you wanted to prevent key based authentication, just add this line:
PubkeyAuthentication no
At any rate back to the objective. On the client, issue the following command, and follow the instructions, to generate a key:
ssh-keygen
Note that you don't actually need to add a passphrase, just press enter. This will allow you to login without being prompted for a passprhase.

The last step is to copy the public key that you have just generated to the server you want to login to:
ssh-copy-id  user@<servername>
That's it, if you did not provide a passphrase, you should be able to login with:
ssh user@<servername>
Note, that both ssh-keygen and ssh-copy-id have several options and that you should study them to see what they do.

I guess that in the exam you could be asked to install ssh, even if it does get installed by default. At any rate, just issue the following command:
yum install openssh-server -y
You should then make sure that it is set to run at boot time:
chkconfig sshd on
You can allow ssh traffic through by opening port 22:
iptables -I INPUT -p tcp --dport 22 -j ACCEPT; service iptables save
Depending on your configuration, you might need to change SELinux settings. You can check the SELinux settings like this:
getsebool -a | grep ssh
Finally, you can limit the users that can login by using the DenyUsers directive in the  /etc/ssh/sshd_config file like so:
DenyUsers naughtyuser
Remember to restart the daemon after any changes:
service sshd restart
If you want to prevent hosts from accessing SSH, you can do it by using iptables rules, e.g.:
iptables -I INPUT -p tcp --dport 22 -s 10.168.20.233 -j DROP; service iptables save
I think this pretty much covers this objective.

No comments:

Post a Comment