Professional Documents
Culture Documents
System -2 192.168.2.11
Step 1:
$ssh-keygen
Your identification has been saved in /root/.ssh/id_rsa. (Private key) Dont share with any one
(decrypt key)
Your public key has been saved in /root/.ssh/id_rsa.pub. (public key) you can share with public
(encryption)
Private key will receive data in encryption method , the same data only private key can decrypt for
read the data.
Step 2 :
Open rsa.pub file using more , cat or vi and copy the content.
Step 3 :
Login System-2 with respective user and create one new file authorized_keys in his home directory
.ssh/authorized_keys
Cd .sshd/
Vi authorized_keys
Past the content here which is you copied from system-1 (pub key content)
:wq
$ssh-keygen
Your identification has been saved in /root/.ssh/id_rsa. (Private key) Dont share with any one
(decrypt key)
Your public key has been saved in /root/.ssh/id_rsa.pub. (public key) you can share with public
(encryption)
Private key will receive data in encryption method , the same data only private key can decrypt for
read the data.
Step 2 :
Open rsa.pub file using more , cat or vi and copy the content.
Step 3 :
Login System-1 with respective user and create one new file authorized_keys in his home directory
.ssh/authorized_keys
Cd .sshd/
Vi authorized_keys
Past the content here which is you copied from system-1 (pub key content)
:wq
Note: without password will work only for that respective user not for other since we have
generated key as that respective user.
Login to respective user and execute below command for test.
Su test
Ssh user@system-1
By default you can ssh to the server as root. It is best not to allow root to login directly to the server.
Instead, you should login to the system as your account and then do su - to login as root.
If you have multiple sysadmins in your organization, and if they all login to the server directly as root,
you might not know which sysadmin logged in as root. Instead, if you disable login as root,
sysadmins are forced to login as their account first, before they can do su -, this makes the auditing
easier.
Add the following entry to sshd_config to disable root to login to the server directly.
$ vi /etc/ssh/sshd_config
PermitRootLogin no
By default anybody who is authenticated successfully are allowed to login. Instead you can restrict
which users (or groups) you allow to login to the system.
This is helpful when you have created several user accounts on the system, but want only few of
them to login.
This is also helpful when you are using NIS, openLDAP (or some other external system) for
authentication. Every user in your company might have account on NIS, OpenLDAP etc. But, on a
specific server you want only few of them to login. For example, on production system you want
only sysadmins to login.
Add the following entry to the sshd_config file to allow only specific users to login to the system. In
the example below only ramesh, john and jason can login to this system. Usernames should be
separated by space.
$ vi /etc/ssh/sshd_config
$ vi /etc/ssh/sshd_config
AllowGroups sysadmin dba
Instead of allowing specific users (or groups), you can also deny specific users or groups.
Add the following entry to the sshd_config file to deny specific users to login to the system. In the
example below cvs, apache, jane cannot login to this system. Usernames should be separated by
space.
$ vi /etc/ssh/sshd_config
DenyUsers cvs apache jane
Add the following entry to the sshd_config file to deny users who belong to a specific group to login.
In the exampe below users who belong to developers and qa group cannot login to the system.
$ vi /etc/ssh/sshd_config
DenyGroups developers qa
Note: You can use combination of all the Allow and Deny directivies. It is processed in this order:
DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups
By default ssh runs on port 22. Most of the attackers will check if a server is open on port 22, and will
randomly use brute force to login to the server using several username and password combination.
If you change the port # to something different, others need to know exactly what port to use to
login to the server using ssh. The exampe below uses port 222 for ssh.
$ vi /etc/ssh/sshd_config
Port 222
Vi /etc/services
Ssh 222/tcp
Ssh 222/udp
From your logs (/var/log/secure), if you see lot of invalid logins using ssh for accounts that dont
exist on your system, from the
ip-address that you dont recognize, it migth be some brute-force attack. Those kind of ssh invalid
login will stop, if you change the port number.
Please note that this causes little inconvenience to your team who login to the system, as they need
to know both the ip-address and the port number.
Add the following entry to the sshd_config file to change the login grace time from 2 minutes to 1
minute.
$ vi /etc/ssh/sshd_config
LoginGraceTime 1m
Once youve successfully logged in to the system, you might want to get disconnected when there
are no activities after x number of minutes. This is basically idle timeout.
ClientAliveCountMax This indicates the total number of checkalive message sent by the ssh server
without getting any response from the ssh client. Default is 3.
ClientAliveInterval This indicates the timeout in seconds. After x number of seconds, ssh server will
send a message to the client asking for response. Deafult is 0 (server will not send message to client
to check.).
If you want ssh client to exit (timeout) automatically after 10 minutes (600 seconds), modify the
sshd_config file and set the following two parameters as shown below.
$ vi /etc/ssh/sshd_config
ClientAliveInterval 600
ClientAliveCountMax 0