OpenSSH Configuration and Usage Part 1

Welcome all to our new exciting tutorial. In this tutorial we are going to learn ssh configuration and use of ssh with some options like ssh –l, ssh –p, ssh –v, ssh –V, ssh –t, ssh –F, ssh –c. So we start our lecture with ssh in brief detail because it is very powerful and secure utility.

What is SSH?

SSH stand for Secure SHell. A way to connect to a remote machine. SSH is popular amongst *nix users because it is reliable, secure and adaptable. SSH is a protocol for secure remote access to a machine over untrusted network. SSH is replacement for telnet, rsh and rlogin and uses encryption.

Why SSH?




Unlike FTP and other protocols SSH is secure, all transaction are encrypted so they cannot be sniffed. Unlike telnet SSH username/password combination are sent in clear text. SSH is encrypted from the very beginning.
(Note: This is very important as many developers often use FTP to transfer files to their server not knowing that someone could easily sniff the network of their password.)

Whats wrong with telnet?

Sends all data in clear text and Host between sender and receiver can see what the traffic is?

Components of SSH

How SSH works?

When sshd started, it start listen on port 22 for a socket. When the socket get connected to the SSH daemon spawns a child process which in turn generate a host key (e.g. RSA)

Security Benefits of SSH

  • User Authentication
  • Host Authentication
  • Data Encryption
  • Data Intigrity

User Authentication

User’s identity and system verifies that access is only given to intended users and denied to anyone else. After user authentication system will ask for password then there are two more steps;

  1. Password Authentication
  2. Public Key Authentication

Password Authentication

Password in combination with a username, popular way to tell another computer that you are who, you claim to be. If the username and password match then it will store on a remote system then you are authenticated and access is allowed.

Public Key Authentication

Most secure method to authenticate using secure shell. This authentication uses a pair of computer generated keys- one is public and other one is private. Each key usually between 1024 to 2048 bits in length. To access an account on secure shell server, a copy of the clients’s public key must be uploaded on the server. When the clients connect to the server it proves that it has the secret and access is granted.

Host Authentication

The known_hosts file (~/.ssh/know_hosts) lets the client authenticate the server. A host key is used by a server to prove its identity to a client (client verifies a known host). Host keys are described as persistent (they change infrequently). Host authentication key guards against the Man-in-the-middle attacks.

Data Encryption

Encryption is a technique through which our data is protected from disclosure to an attacker (Sniffing).

Data Integrity

Data integrity is that data sent from one end of a transaction arrives unaltered at the other end with secure shell encryption.

Installation/Uninstallation by Yum command

yum install openssh-server openssh-clients.

After installtion you need to start the service by using command

systemctl start sshd

or service sshd start (for old versions of Centos /Redhat Linux)

To delete  use command yum remove openssh-server openssh-clients.

Configure the SSH

/etc/ssh/sshd_config  file is referred to configure ssh server and /etc/ssh/ssh_config this file is referred to configure the ssh client application, but we will not change any parameter in this file.

To make SSH more secure disable SSH Protocol 1. This protocol is almost never used in modern SSH clients anymore as it is vulnerable to man in the middle attacks. Make sure you have this line in you config Protocol 2.

Disable root login make sure you have this set PermitRootLogin no, because SSH brute force attackers often hit on username root. If you do not disable root login you are giving the attacker half of the information they need to gain access. They already know the username they need to do guess the correct password. It is better to keep them guessing both username and password.

Change the default Port 22 something else like Port 122.

[Server@faraz ~]# vi /etc/ssh/sshd_config

#       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 122
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

Here are some general rules to deny/allow SSH access using the hosts file. If you want to allow the access to any user then enter the IP of that user in hosts.allow file or if you don’t then make the entry in hosts.deny file. You can also define the network and range of IP’s to allow or deny as per your configuration. /etc/hosts.allow or /etc/hosts.deny

[Server@faraz ~]# vi /etc/hosts.allow
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
sshd: 192.168.56.103 #(you can also define network or ip range)
[Server@faraz ~]# vi /etc/hosts.deny
#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
sshd: All #(you can set the ip here 192.168.56.103, ip range)

Remote Login/Logout

For logging on to the remote server you must at least know the username and password of any user account on the remote server.

For Login: syntax ssh username@hostname/IP

[Client@faraz ~]$ ssh [email protected]
[email protected]'s password:
Last login: Thu Jan 28 16:06:13 2016
[Server@faraz ~]$

You can also use –l option like in below image;

[Client@faraz ~]$ ssh -l Server 192.168.56.102
[email protected]'s password:
Last login: Thu Jan 28 16:53:39 2016 from 192.168.56.10
[Server@faraz ~]$

to logout: just enter logout or ctrl + D to close the session.

[Server@faraz ~]$ logout
Connection to 192.168.56.102 closed.
[Client@faraz ~]$

If you have changed the port then you must define the port by using –p option;

[Client@faraz ~]$ ssh -p 122 [email protected]
[email protected]'s password:
Last login: Thu Jan 28 23:14:09 2016 from 192.168.56.103
[Server@faraz ~]#

-V option displays the version number.

[Client@faraz ~]$ ssh -V
OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013

-v option prints the debugging messages about its progress. This is helpful in debugging connections, authentication and configuration problems.

[Client@faraz ~]$ ssh -v [email protected]
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.40.123 [192.168.40.123] port 22.
debug1: Connection established.
debug1: identity file /home/Faraz/.ssh/identity type -1
debug1: identity file /home/Faraz/.ssh/identity-cert type -1
debug1: identity file /home/Faraz/.ssh/id_rsa type -1
debug1: identity file /home/Faraz/.ssh/id_rsa-cert type -1
debug1: identity file /home/Faraz/.ssh/id_dsa type -1
debug1: identity file /home/Faraz/.ssh/id_dsa-cert type -1
debug1: identity file /home/Faraz/.ssh/id_ecdsa type -1
debug1: identity file /home/Faraz/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

Now I want to change the terminal type there so many types of shell like Cshell, tcsh, bash, ksh etc. –t option force tty allocation. As you can see in below image when I am going to logout it throws error Not a login shell use exit command in the end I have login in normal tty and logout it don’t prompt any error because of default login shell/tty. –T option is disable the tty allocation.

[Server@faraz ~]$ ssh -l Client 192.168.56.103 -t /bin/bash
[email protected]'s password:
[Client@faraz ~]$ logout
bash: logout: not login shell: use `exit'
[Client@faraz ~]$ exit
exit
Connection to 192.168.56.103 closed.
[Server@faraz ~]$ ssh -l Client 192.168.56.103 -t /bin/csh
[email protected]'s password:
[Client@faraz ~]$ logout
Not a login shell.
[Client@faraz ~]$ exit
exit
Connection to 192.168.56.103 closed.
[Server@faraz ~]$ ssh -l Client 192.168.56.103
[email protected]'s password:
Last login: Sat Jan 30 14:33:30 2016 from 192.168.56.102
[Client@faraz ~]$ logout
Connection to 192.168.56.103 closed.
[Server@faraz ~]$

By default SSH  uses  /etc/ssh/ssh_config. If you want to apply particular setting to specific user you can customize the file and put in ~/.ssh/config if you don’t see the config file you can create it. – F option will set the user ssh config file for particular user.

Here I am going to create file ssh.config and add some parameter

syntax ssh –F path_of_file username@hostname/IP

[Client@faraz ~]$ touch /home/Client/ssh.config
[Client@faraz ~]$ vi /home/Client/ssh.config
Host 192.168.56.*
ForwardX11 yes
PasswordAuthentication yes
ConnectTimeout 10
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
Protocol 2
[Client@faraz ~]$ ssh -F /home/Faraz/ssh.config [email protected]
[email protected]'s password:

 

Cipher is an algorithm for performing encryption or decryption. The cipher specification for encrypting the session. – c option is used to encrypt the session.

Server Side (you need remove hash tag from both cipher line)

[Server@faraz ~]#vi /etc/ssh/ssh_config
Cipher 3des
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

Client Side (you need remove hash tag from both cipher line)

[Client@faraz ~]#vi /etc/ssh/ssh_config
Host *
Cipher 3des
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
[Client@faraz ~]# ssh -l Server 192.168.56.102 -p 122 -c aes256-ctr
[email protected]'s password:
Last login: Sat Jan 30 11:22:34 2016 from 192.168.56.103
[Server@faraz ~]$

In this tutorial we have done ssh –l, ssh –p, ssh –v, ssh –V, ssh –t,ssh –F, ssh –c these commands and brief detail on SSH in next tutorial we learn more about SSH utility. See you till next topic and keep learning with us. Please subscribe on our newsletter.

Thanks

SUBSCRIBE OUR NEWSLETTER
I agree to have my personal information transfered to MailChimp ( more information )
Join us by subscribing to our newsletter and learn IT subjects for free
We hate spam. Your email address will not be sold or shared with anyone else.