Posted on

How to Setup SSH Login Without Password CentOS / RHEL

SSH Login Without Password

As a system administrator, you plan on using OpenSSH for Linux and automate your daily tasks such as transferring files or database dump file for the backup to another server. To achieve this goal, you need to log in automatically from the host A to host B. Login automatically mean you do not want to enter any password because you want to use ssh from a shell script.

In this article we’ll show you how to Setup SSH Login without Password on CentOS / RHEL. After automatic login has been configured, you can use it to move the file using SSH (Secure Shell) and secure copy (SCP).

SSH is open source and the most trusted network protocol which is used to login to the remote server. It is used by system administrators to execute commands, also used to transfer files from one computer to another over a network using SCP protocol.

After you setup SSH login without password, you can get the following advantages :

a) Automate your daily task via scripts.
b) If you login to your linux server using ssh key instead of normal loging using any user, it will enhance security of your linux server. This is one of the recommended method to prevent a brute force attack on virtual private server (VPS), SSH keys are nearly impossible to decipher by brute force alone.

What is ssh-keygen

ssh-keygen is a Unix utility that is used to generate, create, manage the public and private keys for ssh authentication. With the help of the ssh-keygen tool, a user can create passphrase keys for both SSH protocol version 1 and version 2. ssh-keygen creates RSA keys for SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2.

What is ssh-copy-id

ssh-copy-id is a script that copies the local-host’s public key to the remote-host’s authorized_keys file. ssh-copy-id also append the indicated identity file to that machine’s ~/.ssh/authorized_keys file and assigns proper permission to the remote-host’s home.

SSH keys

SSH keys provide better and secure way of logging into a linux server with SSH. After you run ssh-keygen, you will generate public key and private key. You can place the public key on any server, and then unlock it by connecting to it with a client that already has the private key. When the two match up, the system unlocks without the need for a password.

Setup SSH Login Without Password on CentOS and RHEL.

This steps tested on CentOS 5/6/7, RHEL 5/6/7 and Oracle Linux 6/7.

Node1 : 192.168.0.9
Node2 : 192.168.0.10

Step One :
Test the connection and access from node1 to node2 :

[root@node1 ~]# ssh root@192.168.0.10
The authenticity of host '192.168.0.10 (192.168.0.10)' can't be established.
RSA key fingerprint is 6d:8f:63:9b:3b:63:e1:72:b3:06:a4:e4:f4:37:21:42.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.10' (RSA) to the list of known hosts.
root@192.168.0.10's password:
Last login: Thu Dec 10 22:04:55 2015 from 192.168.0.1
[root@node2 ~]#

Step Two :
Generate public and private keys using ssh-key-gen. Please take note that you can increase security by protecting the private key with a passphrase.

[root@node1 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
b4:51:7e:1e:52:61:cd:fb:b2:98:4b:ad:a1:8b:31:6d root@node1.ehowstuff.local
The key's randomart image is:
+--[ RSA 2048]----+
|          . ++   |
|         o o  o  |
|        o o o  . |
|       . o + ..  |
|        S   .  . |
|         .   .. .|
|        o E oo.o |
|         = ooo.  |
|        . o.o.   |
+-----------------+

Step Three :
Copy or transfer the public key to remote-host using ssh-copy-id command. It will append the indicated identity file to ~/.ssh/authorized_keys on node2 :

[root@node1 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.0.10
root@192.168.0.10's password:
Now try logging into the machine, with "ssh '192.168.0.10'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

Step Four :
Try SSH login without Password to node2 :

[root@node1 ~]# ssh root@192.168.0.10
Last login: Sun Dec 13 14:03:20 2015 from www.ehowstuff.local

I hope this article gives you some ideas and quick guide on how to setup SSH login without password on Linux CentOS / RHEL.

Reference

 

Posted on

How To Get Email Alerts for SSH Login on Linux Server

Enable SSH server on a virtual private server (VPS) will expose the server to the internet and provide opportunities for hacking activities, especially when VPS still using root as a primary access. VPS should be configured with a email alert automatically to each successful login attempts via SSH server . VPS server owner shall be notified of any SSH server access log, such as who, when and which source IP address. This is an important security concern for server owners to protect the server from unknown login attempts. This is because if hackers use brute force to log into your VPS via ssh then it can be very dangerous. In this article, I will explain how to set up an email alert to all SSH login users on linux CentOS 6, CentOS 7, RHEL 6 and RHEL 7.

1. Login to your server as root user :

2. Configure at alert from source global definitions (/etc/bashrc). This will enabled for root and normal users :

[root@vps ~]# vi /etc/bashrc

Add the following at the bottom of the files.

echo 'ALERT - Root Shell Access (vps.ehowstuff.com) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" recipient@gmail.com

3. Optionally you can enable alert for root only :

[root@vps ~]# vi .bashrc

Add the following at the bottom of /root/.bashrc :

echo 'ALERT - Root Shell Access (vps.ehowstuff.com) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" recipient@gmail.com

Full Configuration file example :

# .bashrc

# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

# Source global definitions
if [ -f /etc/bashrc ]; then
        . /etc/bashrc
fi
echo 'ALERT - Root Shell Access (vps.ehowstuff.com) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" recipient@gmail.com

4. Optionally you can enable alert for specify normal user (e.g skytech ) :

[root@vps ~]# vi /home/skytech/.bashrc

Add the following at the bottom of /home/skytech/.bashrc :

echo 'ALERT - Root Shell Access (vps.ehowstuff.com) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" recipient@gmail.com

fail2ban-security

Posted on

How to Secure OpenSSH (SSHD) on Linux

OpenSSH is a open source alternative to the proprietary Secure Shell software. It is also the SSH connectivity tools that allows you to remotely login, transfer remote file via scp or sftp. It was created as an open source alternative to the proprietary Secure Shell software. OpenSSH options are controlled through the /etc/ssh/sshd_config file. In order to improve OpenSSH server security, certain default sshd setting need to be change. This post will show you three example to Secure OpenSSH (SSHD) on Linux. This steps has been tested on CentOS 6.3 and may working on CentOS 6.2, CentOS 5.x and Redhat Enterprise Linux 5 (RHEL 5) and Redhat Enterprise Linux 6 (RHEL 6).

1.Change SSH Default Port :

By default ssh runs on port 22. Hacker would need to know the SSH port number in order to access your system. One of the method to improve security is to change the default port to a non-standard port. That would helps to stop brute force attacks.

#Port 22

Uncomment and change to :

Port 2202

2. Disable Root Login (PermitRootLogin) :

Add the following entry to sshd_config to disable root to login to the server directly.

#PermitRootLogin yes

Uncomment and change to :

PermitRootLogin no

3. Listen Specific IP only :

By default ssh will listen on all of the above ip-addresses. If you want users to login only using ip-address 192.168.1.200 and 192.168.1.202, do the following in your sshd_config :

ListenAddress 192.168.1.200
ListenAddress 192.168.1.202
Posted on

How to Setup Secure SSH Without Password on Linux CentOS

This quick post will show the steps to setup SSH access without password, but with passphrase key on Linux CentOS. After completely performed the following steps, you can ssh from one system to another without specifying any password. This steps has been tested on CentOS 6.3 and may working on other CentOS versions and Redhat Enterprise linux versions as well.

Client = 192.168.1.54
Server = 192.168.1.55

1. Create Public and private keys from openssh and save it :

[root@client ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
9c:41:a8:b5:d1:7f:64:c5:91:89:38:bf:5a:4c:30:16 root@centos63.ehowstuff.local
The key's randomart image is:
+--[ RSA 2048]----+
|       o. Eo +o+ |
|      +.. * + +  |
|     o o.o B     |
|    . .. o. +    |
|        S  + .   |
|            +    |
|           o     |
|          .      |
|                 |
+-----------------+
[root@client ~]# ls -l /root/.ssh/
total 8
-rw------- 1 root root 1743 Oct  4 23:04 id_rsa
-rw-r--r-- 1 root root  411 Oct  4 23:04 id_rsa.pub

2. Change the mode of public key :

[root@client ~]# chmod 600 /root/.ssh/id_rsa.pub
[root@client ~]# ls -l /root/.ssh/
total 8
-rw------- 1 root root 1743 Oct  4 23:04 id_rsa
-rw------- 1 root root  411 Oct  4 23:04 id_rsa.pub

3. Make a .ssh directory in the home of the user on server :

[root@server ~]# mkdir .ssh
[root@server ~]# cd .ssh/
[root@server .ssh]# pwd
/root/.ssh

4. From Client, transport the key to the server :

[root@client .ssh]# scp id_rsa.pub root@192.168.1.55:/root/.ssh/
The authenticity of host '192.168.1.55 (192.168.1.55)' can't be established.
RSA key fingerprint is 71:fc:a2:51:b3:ed:bc:7b:68:ec:9e:51:a8:04:ab:fd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.55' (RSA) to the list of known hosts.
root@192.168.1.55's password:
id_rsa.pub                                                        100%  411     0.4KB/s   00

5. Change the key to authorized key in .ssh folder :

[root@server ~]# cd .ssh/
[root@server .ssh]# pwd
/root/.ssh
[root@server .ssh]# cat id_rsa.pub >>authorized_keys
[root@server .ssh]# ls
authorized_keys  id_rsa.pub

View the authorized_keys :

[root@ldap .ssh]# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqToSfMUihcL/lFA6chuVTO77FAHNJFs102lULCVS8XwLFoDbauHdk61x3/rAHDj1HSFbb/heuHUdRndT1CJvSaK+lZ6mKMqvfqlGBvgcF+9t0+Mx3/8Nwaoy891bmiRV81UA8ywwSGx/hw6+LgLTn0F1dh+bhezdAyIV+WMM6QUW9v6APncLw0EtbZX/IMuJCizT+ka+yUgxRB8nteTKYyG1/fCwo7utKBD9Sypt4VBvMFIcoKhIoTzhAxUDxXwmOGn5mUB8aDLzUsf3eJuGOMLVH/k+zByt6tfZ9V/EFUMOVmXV33XCgewJa6RiUm0aXnmYWd722ju/tZyFqzip1w== root@client.ehowstuff.local

6. Now Connect your server without passsword but with the passphrase key :

[root@client ~]# ssh root@192.168.1.55
Enter passphrase for key '/root/.ssh/id_rsa':
Last login: Thu Oct  4 23:08:17 2012 from 192.168.1.52
[root@server ~]#