SSH or Secure shell is one of the most secure and convenient way to access remote server for management.This tutorial will describe everything needed to configure SSH to access a CentOS/Rhel server from a client machine.
Server side:
Normally in RHEL/CentOS , SSH service comes pre installed. You can check it by running the following command.
[root@server ]# yum list installed | grep ssh libssh2.x86_64 1.4.3-10.el7 openssh.x86_64 6.6.1p1-22.el7 openssh-clients.x86_64 6.6.1p1-22.el7 openssh-server.x86_64 6.6.1p1-22.el7
Next we will start the ssh service and configure it to start automatically every time the server starts using following command.
[root@server ~]# systemctl start sshd && systemctl enable ssh
This is pretty much the basic configuration on the server side to access ssh service on the server for . Further configuration is needed if you want to access graphical application via ssh or want to make it more secure, which will be discussed later in the post.
Logging in from the client:
MacOS :
Open terminal.( press cmd+spacebar , write terminal and press enter )
The syntax for ssh command is ssh username@hostname . If your server has a FQDN , you use that in hostname , or use the ip address of the server. So to connect to the server with IP address 192.168.8.106 as user “root” the command will be ”
$ ssh root@192.168.8.106
It will prompt for the password of the user “root” . When you connect to a server for the first time, you might see a message like
The authenticity of host '192.168.8.106 (192.168.8.106)' can't be established. ECDSA key fingerprint is SHA256:**************** Are you sure you want to continue connecting (yes/no)?
Click on yes.
Windows :
To access a server from a windows machine , we need to download a ssh client called Putty.
Once putty started, rest is pretty straightforward. Fill in the ip address, select ssh as connection type and click open. It will prompt for the username and the password.
Accessing graphical application through SSH
Though, most of the system admin tends to accomplish their work via command line, but every now and then a situation arises where a graphical environment could come handy. In order to access graphical application, we need to make some changes in couple of configuration file in the server.
Open the /etc/ssh/ssh_config in your desired text editor.
Look for the line “# forwardX11 no” , remove the preceding # to uncomment it and change “no” parameter to “yes”.
# Host * # ForwardAgent no ForwardX11 yes # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no
Next edit the /etc/ssh/sshd_config file. Change the line containing X11 forwarding and X11DisplayOffset to look like this.
X11Forwarding yes X11DisplayOffset 10
Now restart the ssh service
systemctl restart sshd
Now to access GUI access through ssh, we need a x server app running in our local machine.
Mac OS:
For mac we can download xquartz app . Once it is installed , go back to terminal. This time use the -X option in the ssh command.
$ ssh -X root@102.168.8.106
Once logged in , we can start a graphical application of our linux server right here in our local screen.
Windows:
For x server app in windows, we will download a program called Xming . Once xming is installed, start the “XLaunch” program from the program list. Finish the initial configuration as follows. Keep the app running.
Now start putty again. On the left side expand “connection” > SSH > Auth >X11 . Check “Enable X11 forwarding” checkbox.Now go back to session and connect as usual.
Securing the SSH login:
Although SSH is pretty secure with its basic setting, but there is no such thing as securest. There is always room for improvement. To enhance the security of ssh login , following steps could be taken.
Change the port default number:
SSH listens on tcp port 22 by default, which the attacker also knows. So we will change it to a custom port number to minimise the attack surface. To change the default port, open the /etc/ssh/sshd_config file. Change the “Port 22″ line to your chosen port number.(just make sure it is over 1024) and uncomment it. I have chosen 2026 for my lab.
# Port 2026 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::
Restart the ssh service.
Now to complete the setting we need to open the port in our firewall. Considering we are running firewalld , enter the following command.
[root@server ~]# firewall-cmd --permanent --add-port=2026/tcp [root@server ~]# firewall-cmd --reload
Now to connect to the server , we need to mention the port number in ssh command and also change the port in putty connection in case of windows.
ssh -p 1022 root@192.168.8.106
Disable root login
Another step we could take to secure our server is to disable root login via ssh. Now why this? Because to login the attacker has to figure out the username and password of an account. With “root” account,which is present in all linux system, the attacker already knows the username. So by using a different user account the attacker has to figure out both the username and password. to disable root login, open the /etc/ssh/sshd_config file. Change the line “#PermitRootLogin yes” to “No” and uncomment it. Restart the sshd service after editing.
# Authentication: #LoginGraceTime 2m PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10
Once logged in as a different user, we can use “su” command to become root user.
Use key based login instead of password.
From mac client:
Enter the following command:
ssh-keygen -t rsa
Press enter twice to accept the default name and location for key file. Once key generation is finished we need to copy this key to the server. Enter following command :
ssh-copy-id user1@192.168.8.106
here , user1 is a user account on the server machine. Press enter, it will prompt for the password of user1 in the server. From next time, if we want to connect to the server as user1 we just use the command ” ssh user1@192.168.8.106″ and we will be connected without any password. Since there is no password exchange in this method, there is no possibility of someone stealing the password.
On windows:
Install the puttygen program. Once it started, select key type “SSH-2 RSA” in the bottom panel, and follow the onscreen instruction to generate the key.
Once generated, login to server using putty, open the file /root/.ssh/authorized_keys with text editor. Go back to the puttygen window. Select all the text that is on the “Public key for pasting into OpenSSH authorized_keys file” box. Then put that content into open authorised_keys file in the putty terminal.
Save the file and Exit putty. On the puttygen window, click on ” save private key” .
Now open putty , go to connection > SSH > Auth . In the “authentication parameters”, click browse and select the file private key file that we have selected in the previous section. Now we can connect to our server without entering a password.
Hopefully this post will help you to configure SSH access to server correctly. If you have any further comment or feedback please let me know in the comment.