How enable root SSH login on RHEL or CentOS 7
SSH (Secure SHell) work on port number 22, which uses encryption to send data to remote host. Now a days we use it in place of Telnet.
Files related to SSH configuration;
NOTE : After editing "sshd_config" file, please verify configuration and restart "sshd" service to come up with the enabled option.
Verify your sshd_config file before restarting / reloading changes:
#service sshd restart OR
#/etc/init.d/sshd restart
Enabling / Disabling root login access in ssh :
Edit file "/etc/ssh/sshd_config", search for "PermitRootLogin" & make it "yes" Or if commented uncomment it.
#vi /etc/ssh/sshd_config
PermitRootLogin yes
Save & exit.
Next restart "sshd" service,
#service sshd restart OR
#/etc/init.d/sshd restart
How to change ssh port to random port number from port 22 :
#vi /etc/ssh/sshd_config
Search for "Port 22", uncomment it & edit entry "22" as per your requirement. Like "989"
Port 989
Save & exit.
Next restart "sshd" service.
How to connect from ssh to another host if random port number used instead of "22":
#ssh -p <SSH Port> <SSH Server IP>
e.g.
#ssh -p 989 10.10.10.1
How to forward X Session from SSH from remote host :
On Host 1;
#ssh -X root@Host2
Now whenever you open any you open GUI application on HOST 2 it'll be shown to you on HOST 1 to manage through SSH.
Please keep in mind that to forward a X session from SSH from other host to your host first you need to configure X11 forwarding on remote host as given below;
In the "/etc/ssh/sshd_config" file uncomment below lines;
AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
How to limit user's access on SSH :
To allow only root, mac and tom users as well as groups like HR, Sales to use the system via SSH, add the following to sshd_config:
AllowUsers root mac tom
AllowGroups HR Sales
Alternatively, you can allow all users and groups to login via SSH but deny only a few users, groups with the following line:
DenyUsers lycan max tim
DenyGroups ISS CMS PreSales
How to configure idle log out timeout interval:
User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:
ClientAliveInterval 300
ClientAliveCountMax 0
You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out).
_Enjoy :)
Files related to SSH configuration;
- /etc/ssh/sshd_config - OpenSSH server configuration file.
- /etc/ssh/ssh_config - OpenSSH client configuration file.
- ~/.ssh/ - Users ssh configuration directory.
- ~/.ssh/authorized_keys or ~/.ssh/authorized_keys - Lists the public keys (RSA or DSA) that can be used to log into the user’s account
- /etc/nologin - If this file exists, sshd refuses to let anyone except root log in.
- /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
- SSH default port : TCP 22
NOTE : After editing "sshd_config" file, please verify configuration and restart "sshd" service to come up with the enabled option.
Verify your sshd_config file before restarting / reloading changes:
#/usr/sbin/sshd -t
#service sshd restart OR
#/etc/init.d/sshd restart
Enabling / Disabling root login access in ssh :
Edit file "/etc/ssh/sshd_config", search for "PermitRootLogin" & make it "yes" Or if commented uncomment it.
#vi /etc/ssh/sshd_config
PermitRootLogin yes
Save & exit.
Next restart "sshd" service,
#service sshd restart OR
#/etc/init.d/sshd restart
How to change ssh port to random port number from port 22 :
#vi /etc/ssh/sshd_config
Search for "Port 22", uncomment it & edit entry "22" as per your requirement. Like "989"
Port 989
Save & exit.
Next restart "sshd" service.
How to connect from ssh to another host if random port number used instead of "22":
#ssh -p <SSH Port> <SSH Server IP>
e.g.
#ssh -p 989 10.10.10.1
How to forward X Session from SSH from remote host :
On Host 1;
#ssh -X root@Host2
Now whenever you open any you open GUI application on HOST 2 it'll be shown to you on HOST 1 to manage through SSH.
In the "/etc/ssh/sshd_config" file uncomment below lines;
AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
How to limit user's access on SSH :
To allow only root, mac and tom users as well as groups like HR, Sales to use the system via SSH, add the following to sshd_config:
AllowUsers root mac tom
AllowGroups HR Sales
Alternatively, you can allow all users and groups to login via SSH but deny only a few users, groups with the following line:
DenyUsers lycan max tim
DenyGroups ISS CMS PreSales
How to configure idle log out timeout interval:
User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:
ClientAliveInterval 300
ClientAliveCountMax 0
You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out).
How to ignore .rhosts file:
Don't read the user's ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:
IgnoreRhosts yes
SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.
How to Enable a Warning Banner
Set a warning banner by updating sshd_config with the following line:
Banner /etc/banner.txt
Sample /etc/banner.txt file:
----------------------------------------------------------------------------------------------
You are accessing a Government Information System that is provided for authorized use only.
----------------------------------------------------------------------------------------------
Above is standard sample, consult your legal team for exact user agreement and legal notice details.
How to bind SSH access to particular IP's:
By default SSH listen to all available interfaces and IP address on the system. To bind to 10.31.10.1 and 10.31.20.2 IPs add the following lines:
ListenAddress 10.31.10.1
ListenAddress 10.31.20.2
How to use TCP Wrappers for SSH:
TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 10.31.10.1, 10.31.20.2 IP's and 10.31.30.0 Network:
sshd : 10.31.10.1 10.31.20.2 10.31.30.0
How to disable empty passwords in SSH:
You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:
PermitEmptyPasswords no
References :
_Enjoy :)
Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. If possible, as you gain expertise, would you mind updating your blog with extra information? It is extremely useful for me.
ReplyDeletekansas city data recovery
MabnuePprov-e Natalie White https://wakelet.com/wake/KjXHZV2i0eYh1e35yOjzg
ReplyDeletefidniginnoa
consibo-be Lori Nance Avast Pro Antivirus
ReplyDeleteInternet Download Manager
WebcamMax
tersdediscse