Configuration SSH in CentOS 7

SSH (secure shell) is a Protocol for creating an encrypted link between a client and a server. This technology can remotely control the computer. The interaction with the utility takes place in the terminal and in the operating system CentOS 7 it is added by default. So today we would like to consider in detail the standard setting process, which will be useful to all who are going to work with SSH.

Custom SSH in CentOS 7

The configuration process is individual for each system administrator, but still there are some points that are useful for all users. In this article we will talk not only about the server side, but client, as well as point out which of the devices is performed a certain action.

Install the components and start the server

We have already said that SSH is by default added to the list of system libraries CentOS 7, but sometimes for some reasons the required components do not exist on the computer. In this case, you must add them and then activate the server.

  • Open “Terminal” and type there the command sudo yum-y install openssh-server openssh-clients.
  • Confirm the authenticity of the root-account by typing password. Note that input so the symbols do not appear in the string.
  • Run the configuration check command sudo chkconfig sshd on.
  • Then start the SSH service, putting service sshd start.
  • It remains only to check that is enabled by default, the port is open. To do this, use netstat-tulpn | grep :22.
  • After the successful work of the above instructions, you can safely skip to the beginning of configuration. I want to draw your attention that necessarily to be read is shown on screen notification during activation commands. They may indicate a specific error occurs. Timely correction of all problems will help to avoid further problems.

    Edit the configuration file

    Of course, the configuration file is edited at the sole discretion of the system administrator. However, we want to show how to run it in a text editor and at what points we should emphasize in the first place.

  • Suggest to use the editor nano, which is installed in the system, use the command sudo yum install nano. Upon completion of the installation run the configuration file via sudo nano /etc/ssh/sshd_config.
  • You will be presented with all available options. Some of them are commented out, that is, before the switch the sign #. Accordingly, removing this symbol, you raskomentiruyte option, and it will be valid. You can change the default port by changing the value of the string “Port” to any other. In addition, it is recommended to install a second Protocol using the”Protocol 2″. Then increase the security level.
  • These and other parameters change only the preference of the administrator. Detailed information about each of them you will find in the official documentation SSH. After editing is complete, save the changes by pressing the hotkey Ctrl + O.
  • To exit the editor will help combination Ctrl + X.
  • Restart the service using sudo service sshd restartto make the changes effective.
  • Then can check the status of SSH, to make sure it is working, using service sshd status.
  • Editing the configuration file changing a lot of parameters, but the basic process of adding and configuring keys is done using special commands we want to talk about next.

    Create RSA key pairs

    A cryptographic algorithm is RSA (an acronym of the names of Rivest, Shamir and Adleman) used SSH to generate a pair of keys. This action allow to best protect the client and the server part when conducting compounds. That would put both circuits to create a key pair.

  • To get started, go to client computer, and type in the console ssh-keygen.
  • After activating a new row appears where you are prompted to specify the path to save the key. If you want to leave the default location, do not enter anything and just press Enter.
  • Next, create a passphrase. It will provide protection from unauthorized entry into the system. After creating the new password to repeat.
  • Here the process generation is completed. On the screen you will see the key and a random image assigned to it.
  • Upon successful completion of the above guidance appears public and private keys, which will later be used for authentication with the server. However, this key need to transfer to the server and disable the login password.

    Copy the public key to the server

    As mentioned above, copy the key necessary for the future password-less authentication. To make this action in one of three ways, each of which will be optimal in certain situations. Let’s look at all of them.

    The utility ssh-copy-id

    Copy the public key via the utility ssh-copy-id is the simplest method. However, it is suitable only in the case when the computer is the tool. You need to write only one command ssh-copy-id [email protected]_host, where [email protected]_host — the name of the user and the host of the remote server.

    If the connection is held for the first time, on the screen you will see a message of this nature:

    The authenticity of host '111.111.11.111 (111.111.11.111)' can't be established.
    ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
    Are you sure you want to continue connecting (yes/no)?

    It means that the server is not in the list of trusted sources and will be asked whether to conduct further connection. Select the option yes.

    You only have to enter the password on the account server, and the copy procedure using the above-mentioned utility completed successfully.

    Copy the public key over SSH

    In the absence of the utility ssh-copy-id recommend to use the standard features of the SSH tool, of course, if you have access to the server account. Uploading keys via the usual connection, namely:

  • The command cat will allow you to count and add in the key file on the server computer. To do this, simply type cat ~/.ssh/id_rsa.pub | ssh [email protected]_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"where [email protected]_host — the name of the account and the hostname of the remote computer. Note that option >> will add the key at the end of the file rather than overwrite it completely. Therefore, the previously entered keys will also be saved.
  • For connection enter the passphrase.
  • Don’t forget to restart the server via sudo service sshd restart, to update the list of keys.
  • Manually copy the public key

    Sometimes there are situations when it is impossible to use the utility ssh-copy-idand no password is set. Then copying is carried out manually.

  • First find out the key using the already familiar team catby typing in the console : cat ~/.ssh/id_rsa.pub.
  • Copy its contents to a separate file.
  • Connect any convenient method to a remote computer and create the directory mkdir -p ~/.ssh. The command will do nothing if the directory already exists.
  • You only have to enter data into the file “authorized_keys”. Team public_key_string echo >> ~/.ssh/authorized_keys add the key to a file or creates the file first if it is missing. Instead of “public_key_string” to insert the previously obtained string with a key.
  • The copy procedure is successfully completed key. Because of this, you can now authenticate to the server by typing ssh [email protected]_host. However, you can connect via and the password, which reduces security of the network.

    Disable password authentication

    Disable login by password, to bypass the key, make a remote connection less secure. It is therefore recommended to disable this feature to prevent unauthorized authentication by intruders.

  • On the remote server, run the configuration file through SSH sudo nano /etc/ssh/sshd_config.
  • Find the option “PasswordAuthentication” and change the value to no.
  • Save the changes and quit the text editor.
  • The new setting will take effect only after you restart the service sudo systemctl restart sshd.service.
  • In this article, which you were introduced to the main configuration points of the SSH Protocol comes to an end. We strongly recommend you to examine the contents after issuing activate commands, as it sometimes contains errors. Their decision to search for official documentation of the tool or of the CentOS distribution.

    Source: lumpics.ru

    (Visited 60 times, 2 visits today)