We are going to configure a key-based SSH authentication, and allow sshd to bind to a non-default SSH port.
We have a couple of RHEL 7.0 servers, srv1 and srv2. SELinux is set to enforcing mode.
Configure Key-based SSH Authentication
On the server srv1, create a new user sandy:
# useradd -m -s /bin/bash sandy # passwd sandy # su - sandy
As the user sandy, create a new SSH key and copy it to the server srv2:
$ ssh-keygen -b 2048 -t rsa $ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
Public key authentication should be available by default, we can test:
$ ssh [email protected]
Configure Alternative SSH Ports
We are going to add TCP port 2200 to the SSH server.
On the server srv2, open the file
/etc/ssh/sshd_config for editing, and add the following lines:
Port 22 Port 2200
Configure firewall to allow access on TCP port 2200:
# firewall-cmd --permanent --add-port=2200/tcp # firewall-cmd --reload
Configure SELinux to allow sshd to listen on TCP port 2200:
# semanage port -a -t ssh_port_t 2200 -p tcp
Restart sshd service:
# systemctl restart sshd
Test form the server srv1:
$ ssh [email protected] -p2200
Tweak SSH Server Configuration
We want to allow user sandy to login, but deny user dev1 and group devops:
AllowUsers sandy DenyUsers dev DenyGroups devops
Note that the allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups and finally AllowGroups.
Tell SSH server to not look up the remote hostname. This may result in a significant perforance boost if client connections are slow.
Set the maximum number of sessions that can be opened from one IP address simultaneously to 3:
Send a packet to the client if no activity has been detected for 300 seconds, and do so 4 times:
ClientAliveInterval 300 ClientAliveCountMax 4
Unresponsive clients will be disconnected after approximately 20 minutes. These options apply to protocol version 2 only.
Kerberos based authentication should be disabled:
Close TCP socket after 3 invalid login attempts:
Permit passwordless root login:
Ensure that password and key-based authentications are enabled, and that empty passwords are not allowed:
PasswordAuthentication yes PubkeyAuthentication yes PermitEmptyPasswords no
Restart the service:
# systemctl restart sshd
Check the man page of sshd_config for more info.
I’m practicing using you sample Exam for RHCE7. Your instruction is easy to follow. Thanks
Under SSH configuration – “Client ipa.rhce.local must not have access to SSH at all” –
To accomplish this, we just add an entry in /etc/hosts.deny “sshd: ipa.rhce.local ” or “sshd: ? Please advise.
I don’t use TCP Wrappers I’m afraid as I prefer firewall rules – one place to manage access.
sshd: ipa.rhce.local to hosts.deny works well.
With HTTP service it does not and I use firewalld rich-rule
Yeah, same here, TCP Wrapper didn’t work with HTTP on RHEL 7.
Is SSH port forwarding configuration an exam objective?
Port forwarding is an exam objective.
I mean port forwarding by means of SSH – SSH tunneling
I think it is.
I am using centos 7.0 .
I am facing this issue with sshd. sshd stops works out of nothing .its works with the default config.
# systemctl status sshd
sshd.service – OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
Active: active (running) since Wed 2017-11-01 09:25:43 EDT; 25min ago
Process: 1991 ExecStartPre=/usr/sbin/sshd-keygen (code=exited, status=0/SUCCESS)
Main PID: 2196 (sshd)
└─2196 /usr/sbin/sshd -D
Nov 01 09:25:43 ipa.example.local systemd: Started OpenSSH server daemon.
Nov 01 09:25:47 ipa.example.local sshd: key_parse_private_pem: RSA_blinding_on failed
Nov 01 09:25:48 ipa.example.local sshd: Could not load host key: /etc/ssh/ssh_host_rsa_key
Nov 01 09:25:51 ipa.example.local sshd: Server listening on 0.0.0.0 port 22.
Nov 01 09:25:51 ipa.example.local sshd: Server listening on :: port 22.
Nov 01 09:51:07 ipa.example.local sshd: error: key_parse_private_pem: RSA_blinding_on failed
Nov 01 09:51:07 ipa.example.local sshd: error: Could not load host key: /etc/ssh/ssh_host_rsa_key
I am using cloned copies in vmware.
You need to fix the following:
I have searched over net for the solution . and then i have posted here.
none of the solution did work for me .
1) removed ssh and installed it again
2) removed keys . and tried to generate again
3) it gives selinux errors, but it does not work here.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep sshd-keygen /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Please direct me to correct solution.
You have to fix SELinux issues then. Generate a local policy module and see if this resolves the problem.
How can I allow ssh access for IPA users? When I try to connect ssh alice@ I get permission denied. User alice is IPA user. But if I use local user I have access.
GSSAPIAuthentication yes, this will allow users to log in with kerberos credentials.
I am trying to setting up ssh session time out on rhel8.7.
This does not seem to work.
Can you verify if these settings works the same in rhel8.6 and rhel8.7 onwards
Hi, they should do.