Back to main index

Secure Shell - Rocky-9

Install openssh with:

dnf install openssh

Configure ssh client
emacs /etc/ssh/ssh_config 

Host *
HashKnownHosts yes
StrictHostKeyChecking ask
Protocol 2

Configure ssh daemon
emacs /etc/ssh/sshd_config 

Port 22
ListenAddress 0.0.0.0
# HostKey - do not change these lines; Host identity defers a man-in-the-middle attack.
Protocol 2
PermitRootLogin no
MaxAuthTries 6
MaxSessions 10
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
AllowUsers mihai

Add ssh service to firewall:

firewall-cmd --zone=public --add-service=ssh --permanent
firewall-cmd --reload
firewall-cmd --zone=public --list-all
Check /etc/hosts files: 
cat /etc/hosts.allow
cat /etc/hosts.deny

Start the service: 

systemctl  enable  sshd.service
systemctl  start   sshd

Login to server with the user account and generate the ssh keys

Generate a RSA (Rivest-Shamir-Adleman) on 4096 bits. It can be imported by Putty!

ssh-keygen -t rsa -b 4096

The public key id_rsa.pub contains data for the server.

The private key id_rsa contains data for the client. 

cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Copy the keys from the remote computer to local computer.
You should not be logged into the remote computer.
scp does not require a pre-existing ssh connection.
scp example 1 and scp example 2 

scp mihai@64.227.114.160:/home/mihai/.ssh/id_rsa     /home/mihai
scp mihai@$DIGITALOCEAN:/home/mihai/.ssh/id_rsa.pub  /home/mihai

You can remove the keys from the server.

rm ~/.ssh/id_rsa
rm ~/.ssh/id_rsa.pub

Restart ssh to test the new key.

systemctl restart sshd.service
systemctl status  sshd.service

You have now the private key on the client computer.

mv ~/.ssh/id_rsa ~/.ssh/id_rsa_key
chmod 400 ~/.ssh/id_rsa_key

You can setup an ssh-agent at this point.

Log in to ssh

ssh -l mihai -i ~/.ssh/id_rsa_key 192.168.2.32

ssh login with X11 forwarding

ssh -X -l mihai -i ~/.ssh/id_rsa_key 192.168.2.32

ssh login with tunnelling for vncserver@:3 (port 5903)

ssh -L 5903:192.168.2.32:5903 -i ~/.ssh/id_rsa_key -l mihai 192.168.2.32

Set up a connection alias

emacs ~/.bashrc

alias server='ssh -l mihai -i ~/.ssh/id_rsa_key 192.168.2.32'

# copy files into server's home over ssh
scp_copy(){
    scp -i $HOME/.ssh/id_rsa_key $1  mihai@vasilian.net:$HOME
}

alias scp2server=scp_copy


Back to main index