SSH is the only way one should be connecting a remote shell to their Linux machines. SSH can provide remote shells, secure FTP (SFTP) and functions nicely as a tunnel for rsync. SSH comes with every distribution, 99% anyways, is easy to setup and provides excellent security. This article speaks about OpenSSH 4.2, other implementations exist.
SSH Server Daemon
The sshd daemon provides the server portion of SSH; it's configuration is usually located at /etc/ssh/sshd_config.
Distributions vary on the defaults in here, some support protocol one and two, some only two.
Regardless of your distribution below are relevant portions of a fairly tightend server with inline comments.
Noteably root is denied, passwords are disabled and groups are restricted.
Read man sshd_config.
# limit protocol and listen address ListenAddress 1.2.3.4 Protocol 2 # Restrict Logins, keys only, 20s timeout LoginGraceTime 20 MaxAuthTries 2 PermitRootLogin without-password PasswordAuthentication no # disable this stuffs UsePAM no PrintMotd no UseDNS no
SSH Authorized Keys Automatic Login
SSH can automatically authenticate connections when the client presents an authorized key. A client gives it's public key to a server and then when it connects the server knows it's allowed in and automatically allows the connection. The Keys are specific to users, so a key for user_a will not let user_b in.
Few Simple Steps
- Create Keys
If the keys don't exists already you must create them. Look in your ~/.ssh for files called id_rsa and id_rsa.pub. If those files don't exist say
ssh-keygen -b 2048 -t rsato create them. - Place Keys on Server
Copy
id_rsa.pubto the server then append that to~/.ssh/authorized_keys
In the Creo section we have a script to automate this process.
Optionally you can use a DSA key, simply replace `rsa` with `dsa` above.
Once this public side is added to the users authorized_keys on the server the user can connect w/o a password.
We can see the process by running ssh in verbose mode: ssh -v with some output trimmed below, important stuff in bold
user@host $ ssh john@remote.host.tld OpenSSH_5.5p1, OpenSSL 1.0.0a 1 Jun 2010 debug1: Reading configuration data /home/user/.ssh/config debug1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to ... debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /home/user/.ssh/id_rsa type 1 debug1: identity file /home/user/.ssh/id_rsa-cert type -1 debug1: identity file /home/user/.ssh/id_dsa type -1 debug1: identity file /home/user/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.5 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024>1024>8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'remote.host.tld' is known and matches the RSA host key. debug1: Found key in /home/user/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/user/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: Sending environment. john@remote ~ $
Command Restriction
One super cool feature of RSA key authentication is that commands can be restricted so one key can do only one thing, very neat. This allows for very high level of automation & security on say, backup scripts, monitoring scripts, maintenance scripts, etc.
Create a line as follows in the /home/john/.ssh/authorized_keys file for the server side user.
command="/usr/bin/rsync -a /opt/company/ /mnt/backup/company/" ssh-rsa [ KEY HERE ] backup@autobot.domain.tld
With this command when a client connects as the user John and presents the matching RSA key the SSH server will run that command, then terminate the connection. Other command options can be given.
At Edoceo we use this method for backups, allowing an unprivilged user on a central host to issue commands to remote hosts by connecting with a specific key (ssh -i [key file]).