Configuring OpenSSH on CentOS 8

By | August 30, 2020

OpenSSH is a free version of version of the Secure Shell (SSH) protocol family of tools for remotely controlling, or transferring files between computer systems. The traditional tool like telnet which is insecure and transmit the user’s password in cleartext. SSH is a secured remote control protocol and it can be authenticated using Password Authentication and Public Key base Authentication.

OpenSSH with Password Authentication

OpenSSH is installed by default on CentOS 8 and the password authentication is enabled by default as well. Root user account login allowed and it is recommended that you disable SSH remote for root user and allow a standard user account instead.

OpenSSH Server

1. Edit SSH configuration file

2. Disable root user login by changing PermitRootLogin to no and save the configuration file.

3. Restart OpenSSH service

4. Allow SSH (TCP port 22) in firewall and reload. I got a warning because SSH port already enabled.

OpenSSH Client
5. I am installing SSH Client on my client host using following command

6. Now let try to remote SSH from client host to the server using following command. At your first remote session, you will be asked to accept the key exchange, just type Yes to accept it and enter the password of user itgeek to establish the connection.

7. Now let try to login with root user account and it supposed to be denied.
8. You can also can issue the command from remote host on the server. Following example, we will use cat “/etc/resolv.conf” to show DNS configuration and cat “/etc/hostname” to show server hostname
9. Alternatively, we can use Putty to remote SSH to the server.
10. We have now successfully login via Putty.

OpenSSH with Key-Based Authentication

Create SSH Authorized Key on CentOS client
1. Generate SSH key with the command ssh-keygen and enter your own passphrase
2. Now that the SSH key pair is generated, let copy the public key to the server we want to manage which is centos_srv01 (192.168.200.200) using the command ssh-copy id. This command will copy the content of the public key file (~/.ssh/id_rsa.pub) and will append to the remote user ~/.ssh/authorized_keys file.

3. Let try to remote to the server and SSH connection will be established without requiring the password of user itgeek.

4. Once the remote session can be established using keypair, we don’t need password authentication anymore. This will add another layer of security for your production server. Let disable password authentication in the /etc/ssh/sshd_config file. Set the following configuration to no

    PasswordAuthentication no
    ChallengeResponseAuthentication no
    UsePAM no

5. Save the file and restart the SSH service

Now the password-based authentication is disabled and you can remote to your server using Key based authentication only.

Leave a Reply

Your email address will not be published.