Lesson 9.3: Configure key-based authentication for SSH


Root Permssion for SSH (Both Client and Server)

  • By default SSH is not allowed for root. So we need to allow from the file /etc/ssh/sshd_config by adding PermitRootLogin yes.
  • [root@server ~]# systemctl restart sshd
[root@server ~]# hostname -I 192.168.205.100 192.168.203.1 [root@server ~]# ssh root@192.168.205.101 The authenticity of host '192.168.205.101 (192.168.205.101)' can't be established. ED25519 key fingerprint is SHA256:HOPA4UyrPYpCEWcP4vMfeocqZn9r5fEBYgg9+lXNyeY. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.205.101' (ED25519) to the list of known hosts. root@192.168.205.101's password: Activate the web console with: systemctl enable --now cockpit.socket Last login: Mon Sep 30 21:04:22 2024 [root@client ~]# useradd server1 [root@client ~]# passwd server1

Deny Users to SSH

  • Add DenyUsers in /etc/ssh/sshd_config,example: DenyUsers server1.
  • Here server1 user is denied, which wont provide permission for ssh.
  • [root@server ~]# systemctl restart sshd
# From Host [sanjeeb@client ~]$ ssh server1@192.168.205.101 The authenticity of host '192.168.205.101 (192.168.205.101)' can't be established. ED25519 key fingerprint is SHA256:HOPA4UyrPYpCEWcP4vMfeocqZn9r5fEBYgg9+lXNyeY. This host key is known by the following other names/addresses: ~/.ssh/known_hosts:1: 192.168.208.136 ~/.ssh/known_hosts:4: 192.168.208.130 Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.205.101' (ED25519) to the list of known hosts. server1@192.168.205.101's password: Permission denied, please try again.

Allow only a selected user's SSH login

  • Add AllowUsers in /etc/ssh/sshd_config,example: AllowUsers sanjeeb.
  • Here server1 user is denied, which wont provide permission for ssh.
  • [root@server ~]# systemctl restart sshd
[root@client ~]# ssh sanjeeb@192.168.205.101 sanjeeb@192.168.205.101's password: Last login: Mon Sep 30 21:17:13 2024 from 192.168.205.101 lOGIN FROM SANJEEB!! [sanjeeb@client ~]$ ssh server1@192.168.205.101 server1@192.168.205.101's password: Permission denied, please try again.

Configure SSH Server to Listen on the Non Default Port

  • Modify the configuration file /etc/ssh/sshd_config.
  • Uncomment the Port 22, and change the port number to Port 4488(Your desired port which is not in use).
  • Inform the SELinux if enforcing mode enabled in your system.
[root@client ~]# semanage port -a -t ssh_port_t -p tcp 4488
  • If you service is in non-default port then you need to add in firewall ports as well
[root@client ~]# firewall-cmd --permanent --add-port=4488/tcp success [root@client ~]# firewall-cmd --reload success [root@client ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ssh ports: 4488/tcp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
  • Restart the remote host
[root@client ~]# systemctl restart sshd
  • Check the SSH connection from the Server
[root@server ~]# ssh -p 4488 sanjeeb@192.168.205.101 sanjeeb@192.168.205.101's password: Last login: Mon Sep 30 21:31:44 2024 from 192.168.205.101 lOGIN FROM SANJEEB!! [sanjeeb@client ~]$

Secured Copy

[root@server mybackups]# scp -r root@192.168.205.101:/root/serverbackup /root/mybackups root@192.168.205.101's password: [root@server mybackups]# ls serverbackup [root@server mybackups]# ls serverbackup/ f1 f2 f3 f4 f5 f6 f7

Transfer local files to remote directory

[root@server ~]# scp -r /root/filestosend root@192.168.205.101:/root/filestoreceive root@192.168.205.101's password: f11 100% 0 0.0KB/s 00:00 f12 100% 0 0.0KB/s 00:00 f13 100% 0 0.0KB/s 00:00 f14 100% 0 0.0KB/s 00:00

RSYNC

# BACKUP SERVER [root@backupserver rsync_backup]# pwd /root/rsync_backup [root@backupserver rsync_backup]# hostname -I 192.168.205.101 192.168.206.17 # HOST SERVER [root@server developer]# ls file1 [root@server developer]# rsync --rsh=ssh -r /root/developer/* root@192.168.205.101:/root/rsync_backup root@192.168.205.101's password: ' # BACKUP SERVER [root@backupserver rsync_backup]# ls file1

Creating a shell script for network backup

# HOST MACHINE [root@server ~]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa Your public key has been saved in /root/.ssh/id_rsa.pub The key fingerprint is: SHA256:YOIJ0vrE2iqmT3BeoU/sz5lZ0n0EMbuTEHl4bOyx1A8 root@server The key's randomart image is: +---[RSA 3072]----+ | .=o. | | . o.O+E | |. o o o .*oo o | | + = = . .o+ . | |o = * S + . | | O = . . o | |. = o . o . . | |.+ o * . | |*.. * | +----[SHA256]-----+ [root@server ~]# cd .ssh [root@server .ssh]# ls id_rsa id_rsa.pub known_hosts known_hosts.old [root@server .ssh]# ssh-copy-id root@192.168.205.101 /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys' Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@192.168.205.101'" and check to make sure that only the key(s) you wanted were added. # Now it wont ask for password when loggining into remote machine [root@server ~]# ssh root@192.168.205.101 Activate the web console with: systemctl enable --now cockpit.socket Last login: Mon Sep 30 21:46:08 2024 [root@backupserver ~]# # Making a script for rsync in host machine [root@server ~]# cd /root/scripts/ [root@server scripts]# ls network_backup.sh [root@server scripts]# cat network_backup.sh # Network backup script rsync -rsh=ssh -r /root/developer/* root@192.168.205.101:/root/rsync_backup #Running the script [root@server scripts]# network_backup.sh #Adding a new file [root@server scripts]# touch /root/developer/file4 [root@server scripts]# ls /root/developer/ fil2 file1 file3 file4 [root@server scripts]# network_backup.sh [root@server scripts]# # Backup of file4 takes place after the script runs in the host machine (Backup Server) [root@backupserver rsync_backup]# ls fil2 file1 file3 file4
All systems normal

© 2025 2023 Sanjeeb KC. All rights reserved.