RHL7 Configuring and securing openssh service::

Configuring and securing openssh service::


to connect to a remotehost as the current user:::
ssh 192.168.122.1

[root@localhost ~]# ssh 192.168.122.1(here current user is root,so we are logging as root in the remote host as well)
The authenticity of host '192.168.122.1 (192.168.122.1)' can't be established.
ECDSA key fingerprint is a1:48:e8:2b:14:09:43:19:be:44:31:eb:0a:65:7e:c8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.122.1' (ECDSA) to the list of known hosts.
root@192.168.122.1's password:
Last login: Thu Jan 21 11:02:35 2016

connect to a remote shell as a different user.. Now i am root here and i want to connect as ashok in the remotehsot, then:
ssh ashok@remotehost
[root@localhost ~]# ssh ashok@192.168.122.1
ashok@192.168.122.1's password:
Last login: Thu Jan 21 14:31:50 2016 from 192.168.122.1

 displaying and changing the hostname of remotehost
::::

[ashok@localhost ~]$ ssh ashok@192.168.122.1 hostname
ashok@192.168.122.1's password:
localhost.localdomain
[ashok@localhost ~]$ hostname ashok
hostname: you must be root to change the host name
[ashok@localhost ~]$ su -
Password:
Last login: Thu Jan 21 14:28:01 EST 2016 from 192.168.122.1 on pts/4
[root@localhost ~]# hostname remoteuser
[root@localhost ~]# hostname
remoteuser
[root@localhost ~]# su ashok
[ashok@remoteuser root]$ cd
[ashok@remoteuser ~]$ exit
exit
[root@localhost ~]# ssh ashok@192.168.122.1
ashok@192.168.122.1's password:
Last login: Thu Jan 21 14:39:44 2016
[ashok@remoteuser ~]$

SSH hostkeys:::

first time a user uses ssh to connect to particuylar server, it stores a public key  in the users ~/.ssh/known_hosts and durig each logging
it checks for that match of public key and only then allows the connection;

COnfiguring ssh key_based authentication::
  to connect to the remotehost, as we discussed earlier we need to match the public key however there is the secured way but we  dont need to type password to conect to the remotehost:
for that we need to use following commands::(this is called public key authentication)


first of all
[ashok@localhost ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ashok/.ssh/id_rsa):
/home/ashok/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ashok/.ssh/id_rsa.
Your public key has been saved in /home/ashok/.ssh/id_rsa.pub.
The key fingerprint is:
12:8e:eb:23:bd:7c:26:18:58:d9:4e:db:35:19:d1:c6 ashok@remoteuser
The key's randomart image is:
+--[ RSA 2048]----+
|        .+       |
|        . E      |
|   o  .  +       |
|  o oo .+        |
| o o.oo.S.       |
|. . o...         |
|   +.            |
|  oo+ o          |
|   .+*           |
+-----------------+
[ashok@localhost ~]$ ssh-copy-id ashok@192.168.122.1
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
ashok@192.168.122.1's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'ashok@192.168.122.1'"
and check to make sure that only the key(s) you wanted were added.

[ashok@localhost ~]$ ssh ashok@192.168.122.1
Last login: Thu Jan 21 16:10:14 2016( notice over here previously it used to ask for password but now it hasnot)
this is wha we can do with ssh key-gen to login to any remotehost that we have acces to


Costumizing ssh service configuration:::
resrticting ssh logins::
 first of we have to generate ssh keys on remotehost;


[ashok@localhost ~]$ ssh key-gen
after completing the middle steps of this command we need
ssh-copy-id remotehost( this will copy id to the remotehost)

[ashok@localhost ~]$ ssh-copy-id 192.168.122.1

after some steps of the above command try logging into the remotehost

[ashok@localhost ~]$ ssh ashok@192.168.122.1
Last login: Thu Jan 21 16:40:17 2016 from 192.168.122.1
 after logging in gain the root priviliges:;

[ashok@remoteuser ~]$ su -
Password:
Last login: Thu Jan 21 16:34:35 EST 2016 on pts/1
[root@remoteuser ~]#
 now configure ssh on remoteuser to prevent root logins::

[root@remoteuser ~]# vi /etc/ssh/sshd_config
permitrootlogin no

[root@remoteuser ~]# systemctl restart sshd

again to prevent passwordauthentication

root@remoteuser ~]$ vi /etc/ssh/sshd_config
 PasswordAuthentication no

[root@remoteuser ~
]# systemctl restart sshd
 now again try connecting as root to remotehost, thi type it denied without asking for password
however last time it asked for password( now it didnt because we added passwordauthentication no) in /etc/ssh/sshd_config..