Skip to main content

Working with SSH Servers on SUSE Linux Enterprise

Hands-On Lab

 

Photo of Ross Brunson

Ross Brunson

Linux Training Architect II

Length

00:45:00

Difficulty

Intermediate

In this lab, you'll look at the SSH client and server options that work together to make secure connections, including the ssh_config and sshd_config files. You'll view the file configurations and make some changes that ensure root users are not allowed to sign on via SSH. Additionally, you'll configure your user environment and a remote server to allow for password-less ssh connections between the two systems using ssh-keygen, the ssh-agent, and the ssh-add commands to enable your shell for such access.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Working with SSH Servers

Introduction

Connecting to an SSH server is one thing, but being the person responsible for the safety and security of that server is another set of tasks and responsibilities. Knowing what to do in order to properly configure, secure, and maintain your SSH server is an important skill to have. In this lab, you'll look at the SSH client and server options that work together to make secure connections, including the ssh_config and sshd_config files. You'll view the file configurations and make some changes that ensure root users are not allowed to sign on via SSH. Additionally, you'll configure your user environment and a remote server to allow for password-less ssh connections between the two systems using ssh-keygen, the ssh-agent, and the ssh-add commands to enable your shell for such access.

Solution

Log in to the Server1 server using the credentials provided:

ssh cloud_user@<SERVER1_PUBLIC_IP_ADDRESS>

Remember: Instead of having to copy/paste or type out entire commands you've run before or slightly different versions of previous commands, you can hit the up arrow key to go through your history of commands. Much easier and saves a bit of time.

View and Modify the SSH Client and SSH Server Configurations to Allow Proper Access via SSH

  1. View the client configuration:

    less /etc/ssh/ssh_config
  2. Hit q to quit out of the file.

  3. View the contents of the ~/.ssh/config file:

    cat ~/.ssh/config

    We'll see there currently isn't one.

  4. Create the file:

    cat > ~/.ssh/config

    We won't receive a prompt, which is fine.

  5. Then, enter:

    VisualHostKey yes
  6. Hit Ctrl+d.

  7. View the contents of the file again:

    cat ~/.ssh/config

    This time, we'll see what we just entered.

  8. View the contents of the known_hosts file:

    cat ~/.ssh/known_hosts

    It will come back with nothing.

  9. Connect to Server2 via SSH using its public IP address listed on the lab page:

    ssh cloud_user@<SERVER2_PUBLIC_IP_ADDRESS>
  10. Enter yes at the prompt.

  11. Enter the password listed on the lab page.

    Note: If you're prompted to change the password, make sure to change it to something you can easily remember, as you'll be prompted a few times to enter it.

  12. Verify you're on the remote server:

    ip address show eth0

    Check the IP address in the output.

  13. Change the root user's password:

    sudo -i passwd root

    Enter the password for cloud_user.

  14. At the New password prompt, enter a new password for root that you'll be able to remember. If it tells you it's a bad password, that's fine — for the purposes of the lab, we can use short/simple passwords.

  15. Become the root user:

    su -

    Enter the password you just created.

  16. Change to the ssh directory:

    cd /etc/ssh
  17. List its contents:

    ls
  18. Copy sshd_config to sshd_config.backup:

    cp sshd_config sshd_config.backup
  19. Open the file:

    vim sshd_config
  20. Un-comment the MaxAuthTries line and change 6 to 3.

  21. Un-comment the Banner line and change none to /etc/ssh/banner.ssh.

  22. Save and quit the file by hitting Escape and :wq!.

  23. See the differences between the files:

    vimdiff sshd_config sshd_config.backup
  24. Exit out by entering :qa.

  25. Reload the SSH daemon:

    systemctl reload sshd.service
  26. Check the status:

    systemctl status sshd.service
  27. Change to the /ssh directory:

    cd /etc/ssh
  28. List its contents:

    ls
  29. Create a banner.ssh file:

    cat > banner.ssh
  30. Enter the following:

    Beware, no unauthorized access permitted.
    Signing on to this system constitutes agreement to the terms of service.
    Thank you.
    Systems Admins
  31. Hit Ctrl+d.

  32. List its contents:

    cat banner.ssh

    We should see the message we just entered.

  33. Exit out of the root user:

    exit
  34. Exit back to the original server:

    exit
  35. Try to access Server2:

    ssh cloud_user@<SERVER2_PUBLIC_IP_ADDRESS>

    We should see the message we just entered in banner.ssh.

  36. Enter the Server2 password.

  37. Exit back to Server1:

    exit
  38. Log in again:

    ssh cloud_user@<SERVER2_PUBLIC_IP_ADDRESS>
  39. This time, enter the wrong password three times. We will receive a disconnect since we set the MaxAuthTries to three.

Configure Password-less Connections Between Two systems via SSH

  1. Still signed in to Server1, generate an RSA key:

    ssh-keygen -t rsa -b 4096
  2. Hit Enter to accept the default file location.

  3. Enter a password you'll easily remember.

  4. Log in to Server2

    ssh cloud_user@<SERVER2_PUBLIC_IP_ADDRESS>
  5. Exit back to Server1:

    exit
  6. To see what will happen when we copy over the SSH key, run the following:

    ssh-copy-id -n -i ~/.ssh/id_rsa.pub cloud_user@<SERVER2_PUBLIC_IP_ADDRESS>

    It will tell us that it would have added the key. If you get any errors, something is wrong.

  7. Now, run it without the -n flag:

    ssh-copy-id -i ~/.ssh/id_rsa.pub cloud_user@<SERVER2_PUBLIC_IP_ADDRESS>
  8. Enter the password for Server2.

  9. Log in to Server2:

    ssh cloud_user@<SERVER2_PUBLIC_IP_ADDRESS>
  10. Enter the password for the private key.

  11. List the contents of /authorized_keys:

    cat ~/.ssh/authorized_keys

    We should see the key we generated on Server1 and just copied over.

  12. Exit back to Server1:

    exit
  13. See if the SSH agent is loaded and available:

    ps aux | grep agent
  14. Reload it:

    eval $(ssh-agent -s)

    It will give us a new agent pid.

  15. Add the RSA identity to the SSH agent:

    ssh-add
  16. Enter the password you created for the key. This time, it will load the identity of our private key. Now we can sign on to the remote system and the authentication is already taken care of.

  17. Try to access Server2:

    ssh cloud_user@<SERVER2_PUBLIC_IP_ADDRESS>

    It will log us in without asking for a password.

  18. Exit back to Server1:

    exit
  19. Check disk space on Server2:

    ssh cloud_user@<SERVER2_PUBLIC_IP_ADDRESS> 'df -hT'

    It will show us the disk space without us needing to log in to Server2.

Conclusion

Congratulations on successfully completing this hands-on lab!