red h at ®

®
TRAINING

C HA PT E R 8

CONT ROL LING SERVICES AND

DAEMONS

Overview

Goal To control a n d m o n itor network services a n d syste m

d a e m o n s u s i n g systemd.

Objectives • L i st syste m d a e m o n s a n d network services started by t h e

systemd service a n d socket u n its.

• Control system d a e m o n s and n etwo r k services u s i ng

syst emc t l .

Sections • I d entify i n g Automat i c a l l y Sta rted System Processes ( a n d

Practice)

• Contro l l i ng System Services (a nd Pract ice)

Lab • Contro l l i n g Services a n d Daemons

R H1 24- R H E L7-en-1-20140606 195

 -

C h a pter 8. Con tro l l i n g S e rvices a n d D a e m o n s

-

I d e nt ifyi n g A u to m a t i ca l l y Sta rted System

P rocesses
-

Objectives
-
Aft e r com p l et i n g t h i s sect i o n , st u d e nts s h o u l d be a b l e to l ist syst e m d a e m o n s a n d network
se rvices started by t h e syst emd service and soc ket u n its.

I ntroduction to sys t emd

-

System sta r t u p a n d server p rocesses a re m a n a g e d by t h e systemd System and Service Manager.

-
T h i s p rog ra m provides a method for activat i n g system resou rces, server d a e m o ns, a n d o t h e r
p rocesses, b o t h at boot t i m e a n d o n a r u n n i n g syste m .

-
Daemons a re p rocesses t h a t wa it o r r u n i n the backg ro u n d perfo r m i n g va r i o u s tasks. G e n e ra l l y,
d a e m o n s start a utomatica l l y at boot t i m e a n d cont i n u e to r u n u n t i l s h utdown or u n t i l t h ey a re
m a n u a l l y stopped. By conve n t i o n , t h e n a mes of m a ny d a e m o n progra m s e n d i n t h e l etter " d " .

To l i sten fo r con n e ct i o n s , a d a e m o n uses a socket. T h i s is t h e p r i m a ry com m u n ication c h a n n e l

w i t h l oca l o r remote c l ients. Soc kets m a y be c reated b y d a e m o n s o r m a y be separated from
-
t h e daemon and be created by another p rocess, s u c h a s syste m d . The socket is passed to the
d a e m o n when a connect i o n i s esta b l i s h e d by t h e c l i e nt.

A service ofte n refers to o n e o r more d a e m o n s, b u t sta rt i n g o r sto p p i n g a se rvice m a y i n stead

make a o n e -t i m e change to the state of t h e system, which does n ot i nvolve leaving a d a e m o n
p rocess r u n n i n g afterwa rd (ca l l ed oneshot).
-

A b i t of h i story
Fo r many years, p rocess ID 1 of L i n u x and U N I X syste m s has been t h e init p rocess. T h i s p rocess
was res p o n s i b l e fo r activat i n g ot h e r se rvices o n t h e system and i s t h e o r i g i n of t h e term "in it
syste m ." Fre q u e n t l y used d a e m o n s were started o n syste m s a t boot time with System V a n d
LSB i n it scri pts. These a re s h e l l s c r i pts, a n d m a y vary from o n e d i st r i b ut i o n to a not h e r. Less
-
freq u e n t l y used daemons we re started o n demand by another service, such a s initd or
xinetd, which l i stens for c l i e n t con n e c t i o n s. These syste m s have seve ra l l i m itat ions, which a re
a d d ressed with syste m d . -

I n Red Hat Enterprise L i n u x 7, process I D 1 is s y s t e m d , t h e new i n it syst e m . A few of t h e n e w

featu res provided b y syste m d i n c l u d e : -

• Pa ra l l e l i zation capa b i l ities, w h i c h i n c rease t h e b o o t speed of a syste m .

-
• O n - d e m a n d sta rt i n g of d a e m o n s w i t h o u t req u i r i n g a s e p a rate servi ce.

• Automatic service d e p e n d e n cy m a n a g e m ent, w h i c h can p revent l o n g t i meo uts, s u c h a s by not

-
sta r t i n g a network service when t h e network is not ava i l a b l e.

• A method of tracking re l ated p rocesses tog e t h e r by u s i n g L i n u x control g ro u ps.

-
196 R H 1 24- R H E L7-en-1-20140606

-
-

I nt ro d u c t i o n to syst emd
-

--��-. .
"'..._ /-
Note
- �
W i t h syste m d , s h e l l-based service s c r i pts a re used o n l y for a few l e g a cy s e rv i ces.
T h e refore, config u ration f i l e s with s h e l l va r i a b l es , such a s those fou n d i n
/ e t c / sysconfig, a re b e i n g r eplaced. Those st i l l i n u s e a re i n c l u d e d as syste m d
e n v i ro n m e n t f i l e s a n d r e a d a s N A M E = VA L U E pa i rs. T h e y a re n o l o n g e r sou rced a s a
s h e l l s c r i pt .
-

sys t e mc t l and syst emd u nits

- The sys t em c t l c o m m a n d i s used to m a n a g e d i ffere n t types of syst e m d o bjects, ca l l ed units. A
l i st of ava i l a b l e u n it types ca n be d i s p l ayed w i t h sys temc t l - t help.

-
Important
T h e sys t emc t l may a b b reviate or " e l l i ps i z e " u n it n a mes, p rocess t ree e n t ries, a n d
- u n it d e s c r i pt i o n s u n l ess r u n w i t h t h e 1 o p t i o n .
-

- Some com m o n u n it t y p e s a re l i sted b e l ow:

• Service u n its have a .service exte n s i o n and re p resent system services. T h i s type of u n it i s used
to sta rt freq u e nt l y a ccessed daemons, such a s a web s e rver.
-

• Soc ket u n its have a .socket exte n s i o n a n d re p resent i nter-process co m m u n i c a t i o n ( I PC)

soc kets. Control of the socket w i l l b e passed to a d a e m o n o r n ew l y sta rted s e rvice when a
-
c l i e n t c o n n ection is m a d e. Soc ket u n its a re u s e d to d e l ay t h e sta rt of a service at boot t i m e
a n d to s t a r t l e s s freq u e n t l y u s e d services o n d e m a n d . T h e s e a re s i m i l a r i n p r i n c i p l e to services
which u s e t h e xinetd s u p e rserver to start o n d e m a n d .
-

• Pat h u n its h a v e a .path exte n s i o n a n d a re used to d e l a y t h e activa t i o n o f a service u n t i l

a specific f i l e syste m c h a n g e occu rs. T h i s i s c o m m o n l y u s e d f o r services w h i c h use spool
-
d i rectories, s u c h a s a printing syst e m .

Service states
-
The sta t u s of a service can be viewed with sys t emc t l s t a t u s name . type. I f the u n it type i s
not p rov i d e d , sys t e m c t l wi l l show t h e stat u s of a s e r v i c e u n it, if o n e exists.

[ root@serverx -]# systemc t l s t a t u s s s h d . s e rvice

sshd . service - OpenSSH server daemon
-

Loaded : loaded ( /usr/lib/systemd/system/sshd . service ; enabled )

Active : active ( running ) since Thu 2S14-S2-27 11 : 51 : 39 EST; 7h ago
Main PID : 1S73 ( sshd )
-

CGroup : /system . slice/sshd . service

L...1 s73 /usr/sbin/sshd -D
Feb 27 11 : 51 : 39 servers . example . com systemd [l] : Started OpenSSH server daemon .
-

Feb 27 11 : 51 : 39 servers . example . com sshd [1S73] : Could not load host key : /et . . . y
Feb 27 11 : 51 : 39 servers . example . com sshd [1S73] : Server listening on s . s . s . s . . . .
-
Feb 27 11 : 51 : 39 servers . example . com sshd [1S73] : Server listening on : : port 22 .
Feb 27 11 : 53 : 21 servers . example . com sshd [127S] : error : Could not load host k . . . y
Feb 27 11 : 53 : 22 servers . example . com sshd [127S] : Accepted password for root f . . . 2
- Hint : Some lines were ellipsized, use - 1 to show in full .
Severa l keywords i n d i ca t i n g t h e state of t h e se rvice c a n be fo u n d i n t h e status output:
-

- R H 1 24- R H E L7 -en -1 -20140606 1 97

-
 -

C h a pter 8. C o n t ro l l in g S e rvices a n d D a e m o n s
-

Keywo rd : Desc r i p t i o n :
loaded U n it config u ra t i o n file h a s been p rocesse d .
active (ru n n i n g ) R u n n i n g w i t h o n e o r more cont i n u i n g p rocesses.
active (ex ited) S u ccessfu l l y com p l eted a one-time confi g u ra t i o n .
a c t i v e (wa i t i n g ) R u n n i n g but wait i n g f o r a n eve nt.
i n a cti ve N ot r u n n i n g .
enabled W i l l b e started a t b o o t t i me.
d i sa b l ed W i l l not be started at boot t i m e.
-

sta t i c C a n not be e n a b le d , but may be s t a r t e d by a n e n a b l e d u n it

a u t o m a t i ca l l y.
-

Note
The sys t em c t l s t a t u s NAME c o m m a n d re p l a ces t h e se rvice NAME status
com m a n d u s e d i n p rev i o u s vers i o n s of Red H a t Enterprise L i n u x .

Listing unit files with sys t emc t l

I n t h i s exa m p l e, p l ease fo l l ow a l ong w i t h t h e next steps w h i l e yo u r i n st r u ctor d e m o n st rates -

obta i n i n g sta t u s i nfo r m a t i o n of services.

Note
Notice t h a t t h e systemctl com m a n d w i l l a utomatica l ly p a g i nate t h e o u t p u t w i t h
less.

1. Q u e ry t h e state of a l l u n its to verify a system sta rtup.

[ root@serverX -]# systemc t l

-----· -- -------'
--

2. Query t h e state of o n l y t h e service u n its.

i [ root@serverX -]# systemc t l - - type=se rvice

3. I nvest igate any u n its w h i c h a re in a fa i l ed or m a i nten a n ce state. O p t io n a l l y, add the -1 -

o pt i o n to s h ow t h e f u l l output.

[ root@serverX -]#
-� --- ------ ·---- - --�

systemc t l s t a t u s rngd . s ervice - 1

-

. - --- --- · - .. ------ -- · ·----- ----- - -----·-- . ---- ·- · -

·· - -

4. The s t a t u s a rg u m e n t may a l so b e used to dete r m i n e if a parti c u l a r u n it i s active a n d show

if t h e u n i t is e n a b l e d to start at boot t i me. A lt e r n a te co m m a n d s ca n a l so e a s i l y s how t h e
active a n d e n a b l e d states:

[ root@serverX -]#
---------- --- ··-·--- -
· �- - -· · - ----·· --- - --- - ��-- -

[ root@serverX -]#
systemc t l is - active s s h d
systemct l is - enabled sshd
--- �------- - --�

-
198 R H 1 24- R H E L7-en-1-20140606

-
-

L i s t i n g u n it f i l e s w i t h syst emc t l
-

5. List t h e active state o f a l l l o a d e d u n its. O p t i o n a l l y, l i m i t t h e type o f u n it. T h e - - all o p t i o n

w i l l a d d i n a ct i ve u n its.

[ root@serverx -]#
-

[ root@serverx -]#
syst emc t l list - units - - type=se rvice
sys temctl list - un i t s - - type=service - - all
-

6. V i ew the e n a b l ed a n d d i sa b l ed sett i n g s for a l l u n its. O p t i o n a l l y, l i m i t the type of u n it.

[ root@serverX -]#
-

systemc t l list - u nit - files - - type=service

-
7. View o n l y fa i l ed services.

-
[ root@serverX -]# systemc t l - - failed - - type=se rvice

- R References
sys t emd(l ), syst emd . u n i t ( S ) , syst emd . service(S), syst emd . soc k e t ( S ) , a n d
sys t emct l(1 ) m a n pages
-

Additional information m a y b e ava i l a b l e i n t h e c h a pt e r o n m a n a g i n g services with

syst emd i n t h e Red Hat Enterprise Linux System Administrator's Guide for Red Hat
-
E n t e r prise L i n u x 7, which c a n b e fou n d a t
http://docs.re d h at.co m /

- R H1 24- R H E L 7-en-1 -201 40606 199

-
 -

C h a pter 8. C o n t ro l l i n g Services a n d D a e m o n s

P ra ct i ce: I d e nt i fy t h e Sta t u s of sys t emd U n its

-

Guide d exercise -

I n t h i s l a b , you w i l l ide ntify i n sta l l ed a n d r u n n i n g services o n t h e syste m .

-
O utcomes:
A l i st of act ive and e n a b l e d s e rvices o n the system.

-
Before you begin ..•

Reset yo u r serverX syste m .

D 1. L i s t a l l service u n its o n t h e syst e m . -

[ student@serverx - ] $ s u d o systemctl list - u nit s - - type=service

-

D 2. L i s t a l l socket u n its, a ct ive a n d i n a ctive, o n t h e syst e m .

I [ student@serverx
-

- ] $ s u d o systemc t l lis t - unit s - - type=socket - - all

-
D 3. E x p l o re t h e status of t h e c h r o nyd service. T h i s service is used for network t i m e
syn c h ro n izat i o n ( N T P).

D 3.1 . D i s p l a y t h e status o f t h e c h ronyd service. N ote t h e process I D o f a n y a ct ive -

d a e m o ns.

I [student@serverX - ] $ s u d o systemc tl s t a t u s c h ronyd

i
-

D 3.2. Confirm t h a t t h e l i sted d a e m o n s a re r u n n i n g . -

I [student@serverx - ] $ ps - p PID
-

D 4. E x p l o re t h e stat u s of t h e s s h d serv ice. T h i s service i s used for s e c u re e n c rypted

com m u n ication betwe e n syste ms.
-

D 4.1 . Dete r m i n e if t h e s s h d s e rvice is e n a b l e d t o sta rt at syste m boot.

[student@serverx - ] $ sudo systemctl is - enabled sshd

D 4.2. Dete r m i n e i f the sshd service i s active w i t h o u t d i s p l a y i n g a l l of the sta t u s -

[ [student@serverx
i nfor m a t i o n .

-
- ] $ s u d o systemct l is - act ive sshd

D 4.3. D i s p l a y the sta t u s of the sshd service.

-

[student@serverx - ] $ sudo systemct l s t a t u s sshd

-

200 R H 1 24- R H E L7-en-1-20140606 -

-
-

G u i d e d exercise
-

D 5. List t h e e n a b l e d o r d i s a b l ed states of a l l s e rv i ce u n its.

-
[student@serverX -]$ sudo sys temctl list - unit - files - - type=se rvice

- R H1 24- R H E L7 - e n -1-20140606 201

-
 -

C h a pter 8. C o ntro l l i n g S e rvices a n d D a e m o n s

Cont ro l l i n g Syste m S e rv i ces -

Objectives -

After com p l e t i n g t h i s sect i o n , students s h o u l d be a b l e to control system d a e m o n s a n d network

services u s i n g syst emc t l.
-

Starting and stop ping system daemons on a running

-
system
C h a n ges to a confi g u ra t i o n f i l e or ot h e r u pdates to a s e rvice m a y req u i re t h a t t h e service be
resta rted. A s e rvice that i s n o l o n g e r used may b e sto pped before re m ov i n g the softwa re. A -
service that is not freq u e n t l y used m a y be m a n u a l l y sta rted by a n a d m i n istrator o n l y w h e n it is
needed.

In this exa m p l e, p l ease fo l l ow a l o n g w i t h t h e next steps w h i l e yo u r i n structor d e m o n st rates

m a n a g i n g services o n a r u n n i n g system.
-

I [ root@serverx -]#
1. View t h e s t a t u s of a se rvice.
.
--- �-==-----i
-
�-��--- - �--- ----��- - - ---��--------�---�·

systemctl s t a t u s s s h d . se rvice
;,___ ___�

2. Verify t h a t t h e p rocess is r u n n i n g . -

[ root@serverx -]#
r---- - -----
-- ---�
----- - ---------- ------- --- -
---

j ps - up PIO
'
-

3. Stop the service and verify the status.

[ root@serverX -]# -

[ root@serverX -]#
systemc t l s t o p sshd . se rvice
systemct l s t a t u s s s h d . se rvice

-
4. Start the s e rvice a n d view the status. The p rocess ID has c h a nged.

[ root@serverX -]#
[ root@serverX -]#
systemc t l s t a r t sshd . service -
systemc t l s t a t u s s s h d . se rvice

5. Stop, t h e n sta rt, the service in a s i n g l e co m m a n d .

[ root@serverx -]#
[ root@serverx -]#
systemc t l r e s t a r t sshd . se rvice
systemc t l s t a t u s s s h d . se rvice -

6. I ss u e i n s t r u c t i o n s for a service to rea d a n d re l o a d its config u ration f i l e w i t h o u t a com p l ete

il,.-i [ root@:� rverx -]#

stop and sta rt. The process ID wi l l n ot c h a n ge.
-

[ root@serverx -]#
systemc t l reload s s h d . s e rvice -
systemc t l s t a t u s s s h d . se rvice
------- ------�

-
202 R H 1 24- R H E L 7-e n-1-20140606

-
-

...

E n a b l i n g system d a e m o n s to start o r stop at boot

-

Unit dependencies
S e rvices may be started a s d e p e n d e n cies of other services. I f a soc ket u n it is e n a b l e d a n d the
-
service u n it with t h e same name i s n ot, t h e service will a ut o m a t ica l l y be sta rted when a req u est
is made o n the n etwo r k socket. S e r v i ces m a y a l so be t r i g g e red by path u n its when a file system
condition is met. Fo r exa m p l e, a fi l e p l aced i nto t h e print spool d i rectory w i l l ca u s e t h e cups p r i n t
-
s e r v i c e to be started if it i s not r u n n i n g .

[ root@serverX -]# systemc t l s t o p cups . se rvice

Warning : Stopping cups , but it can still be activated by :
cups . path
-

cups . socket
-

To c o m p l et e l y stop p r i n t i n g s e rvices o n a syste m , stop a l l t h ree u n its. Disa b l i n g t h e service w i l l

d i sa b l e t h e d e p e n d e n c ies.
-

The syst emc t l lis t - dependencies UNIT c o m m a n d c a n be used to print out a t re e of w h a t

ot h e r u n its m u st b e started i f t h e s p e c ified u n it i s sta rted. D e p e n d i n g o n t h e e x a c t d e p e n d e n cy,
-
t h e ot h e r u n it may n e e d to be r u n n i n g before o r after t h e s p e c ified u n it sta rts. T h e - - r eve r s e
o p t i o n to t h i s com m a n d w i l l s h ow w h a t u n its need t o h a v e t h e specified u n it sta rted i n o rd e r t o
run.
-

M a s k i n g services
At t i m es, a system m a y have c o n f l i ct i n g services i n sta l l ed . Fo r exa m p l e, t h e re a re m u l t i p l e
-
methods t o m a n a g e networks ( n etwork a n d N etwork M a n a g e r) a n d fi rewa l l s (ipta b l es a n d
fi rewa l l d). To preve nt a n a d m i n istrator from a c c i d e nta l l y sta r t i n g a se rvice, that service m a y b e
-
masked. M a s k i n g w i l l c reate a l i n k i n t h e config u ra t i o n d i rectories s o t h a t i f t h e service is sta rted,
n ot h i n g will h a p p e n .

[ root@serverX -]# systemct l m a s k netwo r k

ln -s ' /dev/null ' ' /etc/systemd/system/network . service '
-

[ root@serverX -]# systemc t l unmask netwo r k

-
rm ' /etc/systemd/system/network . service '

-
Important
A d i s a b l e d service w i l l n ot be sta rted a utomatica l l y at boot or by other u n it f i l es ,
b u t c a n be s t a r t e d m a n u a l l y. A masked s e r v i c e c a n not b e started m a n ua l l y o r
- a utomatica l l y.

Enabling syste m dae mons to start or stop at boot

Start i n g a service o n a r u n n i n g syst e m does not g u a ra ntee t h a t t h e service w i l l be started
-
when the system reboots. S i m i l a r l y, sto p p i n g a service o n a r u n n i n g system wi l l not keep it from
sta r t i n g again w h e n t h e syst e m reboots. Se rvices a re started a t boot t i m e w h e n l i n ks a re c reated
i n t h e a p p ropriate sys t emd confi g u ration d i recto ries. These l i n ks a re c reated and rem oved w i t h
-
syst emc t l co m m a n d s .

I n t h i s exa m p le, p l ease fo l l ow a l o n g with t h e n e x t s t e p s w h i l e yo u r i n st r u ctor d e m o n st rates

-
e n a b l i n g and d i sa b l i n g services.

1. View t h e sta t u s of a service.

-

- R H1 24- R H E L 7-en-1-20140606 203

-
 C h a pter 8. Contro l l i n g Services a n d Daemons

[ r oot@serverX - ] # syst emct l s t a t u s sshd . service

2. D is a b l e t h e service a n d verify t h e status. N ote t h a t d i s a b l i n g a service does not stop t h e

servi ce.

[ r oot@serverX - ] # systemctl disable sshd . service

[ r oot@se rverX - ] # systemct l status sshd . service

3. E n a b l e the service and v e rify the status.

[ r oot@serverX - ] # systemctl enable sshd . service

[ r oot@ s e r v e r X - ] # systemctl is - enabled sshd . service

S u m m a ry of sys t emc t l com m a n d s

S ervices c a n b e started a n d sto pped o n a r u n n i n g system a n d e n a b l e d o r d i s a b led for automatic
start at boot t i me.

Task: Command:

V i ew deta i l ed i nfo rmation a bout a u n i t state. systemc t l s t a t u s UNIT

Stop a s e rvice o n a ru n n i ng system. systemc t l s top UNIT

Start a service o n a r u n n i ng syste m . sys t emc t l s t a r t UNIT

Restart a s e rvice on a r u n n i n g syste m . systemc t l r e s t a r t UNIT

R e load confi g u ra t i o n f i l e of a r u n n i n g service. sys t emc t l reload UNIT

C o m p letely d i s a b l e a service f ro m b e i n g sys t emc t l mask UNIT

sta rted, both m a n u a l l y a n d at boot.

M a ke a m a s ked service a va i l a bl e. sys t emc t l unmask UNIT

Confi g u re a service to start at boot t i me. s y s t emc t l enable UNIT

D i s a b l e a s e rvice from sta r t i n g at boot t i me. sys t emc t l disable UNIT

L i st u n its w h i c h a re req u i red a n d wa nted by sys t emc t l lis t - dependencies UNIT

t h e specified u n it.

:1 '

fR I Refe re n ces
sys t emd(1 ) , syst emd . uni t ( 5 ) , s y s temd . s e rvic e ( 5 ) , s y s t emd . socket ( 5 ) , a n d
syst emc t l(1) m a n pages

A d d i t i o n a l i nfo rmation may be ava i l a b l e in t h e c h a pter o n m a na g i n g serv i ces with

syst emd i n the Red Hat Enterprise Linux System Administrator's Guide for Red H a t
E n te r p rise L i n u x 7, w h i c h ca n be f o u nd a t
• h ttp: //docs.re d h at.com /

204 R H1 24-R H E L7 e n -1 - 2 0 1 40606

-
-

Practice: U s i n g sys t e m c t l to M a n a g e Services

-

P ra ct i ce: U s i n g sys t emc t l to M a n a g e

-

S e rvi ces
-

Guide d exercise
- I n t h i s l a b, you w i l l m a n a g e a service u n it t h a t is a l ready i nsta l l ed on t h e system.

Outcomes:
- The c h r o nyd service i s d i s a b l ed and no l o n g e r r u n n i n g o n t h e syste m .

Before you begin. . .

-
Reset yo u r s e rverX syste m.

0 1. O b s e rve t h e res u l ts o f sys t e mc t l r e s t a r t a n d sys t emc t l r eload c o m m a nds.

-
0 1 .1 . D i s p l ay t h e status o f t h e s s h d s e rvice. N ote t h e process I D o f t h e d a e m o n .

-
[ student@serverx -]$ s u d o systernc t l s t a t u s sshd

0 1.2. Restart t h e s s h d service and view t h e stat us. The p rocess ID of t h e daemon has
- changed.

[student@serverx -]$
[student@serverX -]$
s u d o systernc t l r e s t a r t sshd
- sudo systernct l s t a t u s sshd

0 1.3. Reload t h e sshd service and view t h e status. The p rocess ID of t h e daemon has
-
not c h a n g ed a n d c o n n ect i o n s have n ot been interru pted.

[student@serverx -]$
[student@serverx -]$
sudo systernctl reload sshd
-
sudo systernctl status sshd

- 0 2. Verify that the c h r o nyd service i s r u n n i n g .

I [ student@serverX -]$ sudo syst ernct l s t a t u s c h r onyd

-

0 3. Stop t h e c h r o nyd service a n d view t h e status.

[ student@serverX -]$
[student@serverX -]$
-
sudo sys ternctl s t op c h ronyd
sudo syst ernct l s t a t u s c h ronyd

0 4. Dete r m i n e i f t h e ch ronyd service i s e n a b l e d to start at system boot.

-
!
j
!
[ student@serverx -]$ sudo systernct l is - enabled c h ronyd

0 5. Reboot t h e system, t h e n view t h e sta t u s of t h e c h ronyd servi ce.

-

[student@serverX -]$ sudo syst e rn c t l status c h ronyd

- R H 1 24- R H E L 7-en-1 -20140606 205

-
 -

C h a pter 8. C o n t ro l l i n g Services a n d D a e m o n s
-

D 6. Disa b l e t h e c h r o nyd service so t h a t it d o e s n ot s t a r t at system b o o t , t h e n v i ew t h e

sta t u s of t h e s e rv i ce. -

[student@serverX -)$
[ student@serverx -]$
sudo systemc t l disable c h ronyd
sudo syst emc t l s t a t u s c h ronyd -

D 7. Reboot t h e syste m , t h e n view t h e sta t u s of t h e ch ronyd se rvice.

[ student@serverX -)$
-

sudo systemc t l status ch ronyd

-
206 R H124-R H EL 7-en-1-20140606

-
-

L a b : Contro l l i n g Services a n d D a e m o n s
-

La b: Co nt ro l l i n g Servi ces a n d D a e m o n s
-

-
Perfor mance checklist
I n t h i s l a b, you w i l l m a n a g e a service u n it t h a t is a l ready i n sta l l ed on t h e system.
-
Outcomes:
T h e psacct service i s e n a b l e d and r u n n i n g o n t h e syst e m , and t h e r syslog service i s d i s a b l e d
a n d n o l o n g e r ru n n i n g o n t h e syste m .
-

Before you begin •..

Reset your serverX syste m .

-

1. Sta rt t h e psacct s e rvice.

- 2. Config u re t h e psacct s e rvice s o that it sta rts at syst e m boot.

3. Stop t h e rsyslog s e rvice.

-
4. Confi g u re t h e rsyslog s e rvice so that it does not sta rt at syste m boot.

5. Reboot t h e syst e m , then run lab se rvice s g r ad e to verify t h e confi g u ra t i o n .

-

- R H 1 24- R H E L7-en-1 -20140606 2 07

-
 -

C h a pter 8. Contro l l i n g S e rvices a n d D a e m o n s

-

Solution
-

I n t h i s l a b, you w i l l m a n a g e a service u n it that is a l ready i n sta l l e d on t h e system.

O ut c o m e s :
T h e psacct service i s e n a b l e d and r u n n i n g o n the system , and the r syslog service i s d i s a b l ed
a n d n o l o n g e r r u n n in g o n t h e syste m .
-
Before you begin ...
Reset you r serverX syst e m .
-
1. S t a r t t h e p s ac c t service.

[ student@serverX
[student@serverX
- ] $ sudo systemc t l s t a r t psacct -

- ] $ sudo systemc t l status ps acc t

-
2. Conf i g u re t h e psac c t service so t h a t it starts at system boot.

[student@serverX
[student@serverX
- ] $ s u d o systemctl enable psacct
-
- ] $ sudo systemct l status psacct

3. Stop the r syslog s e rv ice. -

[student@serv erX
[student@serverX
- ] $ s u d o systemctl s t o p r syslog

L .
- ] $ sudo systemctl s t a t u s rsyslog

4. Config u re t h e r syslog s e rvice so t h a t it does not start at system boot.

[student@serverX
-

[ student@serverx
- ] $ sudo systemct l disable rsy slog
- ] $ sudo systemc t l s t a t u s r syslog
-

5. Re boot the system, t h e n r u n lab s e rvices g r ade to verify the confi g u ra t i o n .

[student@serverX
-

- ] $ lab se rvices g rade

208 R H 1 24- R H E L7-en-1-20140606 -

-

Solution
-

S u m m a ry
-

I d e nt i fy i n g A u t o m a t i ca l l y Started Syst e m Processes

Determ i n e t h e stat u s of system d a e m o n s and n etwo r k services started by sys t emd.
-

C o n t ro l l i n g System Services
Start, stop, and e n a b l e se rvices u s i n g syst emc t l.

- R H 1 24- R H E L 7 - en -1 -20140606 209

-
 -
I

,...
.
.,
I

�
I

_....,
210

�
 red h at®
® TRAINING

C H A PT E R 9

CONFIG U RING AND SECU RING

OPENSSH SERVICE

Overview

Goal To conf i g u re s e c u re c o m m a n d - l i n e access on remote

systems using O p e n S S H .

Objectives • Log i nto a remote system u s i n g ssh to run c o m m a n d s f ro m

a s h e l l p ro m pt.

• Set u p ssh to a l low sec u re password-free l o g i n s by u s i n g a

p r ivate aut h e nticat i o n key file.

• C u stomize s s h d confi g u ration to restrict d i rect logins a s

root or to d i s a b l e pa ssword-based authentication.

Sections • Acces s i n g t h e Remote C o m m a n d Line with S S H (and

Practice)

• Confi g u r i n g SSH Key-based Authentication (and Practice)

• C usto m i z i n g S S H S e rvice Conf i g u ration (and Practice)

Lab • Conf i g u r i n g a n d S e c u r i n g O p e n S S H Service

R H1 24- R H E L7-e n-1-20140606 211

 -

C h a pter 9. Config u r i n g a n d Secu r i n g O p e n S S H Service

-

Access i n g t h e Re m ote Co m m a n d L i n e wit h

-

SS H
-

Objective
Aft e r c o m p l e t i n g t h i s sect i o n , st u d e nts s h o u l d be a b l e to l o g i n to a re mote system u s i n g s s h to -

r u n com m a n d s from a s h e l l p ro m pt.

What is the Ope n SS H secure shell (SS H ) ?

T h e term O p e n S S H refers t o t h e softwa re i m p l e m e ntation o f t h e S e c u re S h e l l software used
i n t h e syste m . The O p e n S S H S e c u re S h e l l , ssh, is used to s e c u r e l y r u n a s h e l l o n a re mote -

syste m . I f you have a u s e r account o n a re mote L i n u x syste m p rovi d i n g SSH services, ssh i s t h e
c o m m a n d n o r m a l l y used to remote l y l o g i nto t h a t syste m . T h e s s h com m a n d can a l s o b e used to
run an i n d i v i d u a l com m a n d o n a re mote system. -

Secure Shell examples

-
H e re a re s o m e exa m p les of s s h com m a n d synta x for remote l o g i n a n d remote exe c u t i o n :

C reate a remote i n teractive s h e l l a s t h e cu rrent u s e r, t h e n ret u r n to yo u r prev i o u s s h e l l w h e n

-
d o n e with t h e exit co m m a n d .

[student@host - ] $ s s h remotehost
r ------------------- ------ -

student@remotehost ' s password :

[ student@remotehost - ] $ exit
-

Connection to remotehost closed .

[ student@host - ] $ -

C o n n ect t o a remote s h e l l a s a d iffe rent user ( remo t e u s e r ) o n a s e l ected host ( remo t ehos t ) :

[ student@host - ] $ s s h remoteu s er@remotehost

-

remoteuser@remotehost ' s password :

[ remoteuser@remotehost - ] $
L ____ _ _____,

• Execute a s i n g l e co m m a n d (host name) on a re mote host ( r emot ehos t ) a n d as a remote u s e r -

( r emot e u s e r ) i n a w a y t h a t ret u r n s t h e output to t h e loca l d i s p l ay:

[ student@host - ] $ s s h remoteuse r@remotehost

remoteuser@remotehost ' s password :
i h o s t n ame

remotehost . example . com

-
!

i
[student@host - ] $
L_ _,_�--��- �- -�----1
T h e w com m a n d d i s p l ays a l i st of u s e rs c u rrent l y l o g g e d i n to t h e computer. T h i s is e s p e c i a l l y
-

u s ef u l t o show w h ich u s e rs a re l o g g e d i n u s i n g s s h from w h i c h remote locations, a n d w h a t they

a re d o i n g .

[ student@host
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
-]$ -f -

student ttyl :0 Wed0B 2days 1 : 52m 0 . 07s pam : gdm-passwo

w

root tty6 12 : 33 4 : 14m 16 . 27s 15 . 74s -bash -

212 R H 1 24- R H E L 7-en-1-20140606

-

S S H host keys

student pts/0 :0.0 Wed08 5 : 11 1 . 63s 1 . 60s /usr/bin/gnome-

-

student pts/1 :0.0 Wed08 43 : 44 14 . 48s 13 . 81s vim hello . c

student pts/3 :0.0 Wed14 0 . 00s 0 . 06s 0 . 06s w
-
visitor pts/6 server2 . example . 09 : 22 3 : 14 0 . 02s 0 . 02s - bash
- I n t h i s exa m p l e, u s e r student l o g g e d i n o n v i rt u a l conso l e 1 ( t t yl) t h ro u g h t h e g ra p h i c a l l og i n
( : 0) a t a bo u t 08:00 o n Wed nesday. U s e r student c u rre nt l y h a s t h re e p s e u d o-te r m i n a l s o p e n
( p t s / 0 , p t s/1, a n d p t s/3) sta rted by t h e g ra p h i c a l e n v i ro n m ent; t h es e a re a l m ost certa i n l y
- term i n a l w i n d ows. I n o n e w i n d ow, student i s e d i t i n g hello . c. U s e r root i s l o g g e d i n o n v i rt u a l
c o n s o l e 6, sta rt i n g at 12:33 today. U s e r visitor l o g g e d i n o n pseu do-te r m i n a l 6 at 09:22 today
from the h ost se rver2.exa m p l e.com (n ote that the name h a s been t r u n cated), proba b l y u s i n g
- ssh, a n d h a s been s i tt i n g i d l e a t a s h e l l p ro m p t for t h ree m i n utes a n d 1 4 seconds.

-
SS H host keys
S S H sec u re s com m u n ication t h ro u g h p u b l ic-key e n crypt i o n . W h e n a n s s h c l ient c o n n ects to a n
S S H server, before t h e c l ient l o g s i n , t h e server s e n d s i t a copy of its public key. T h i s i s u se d to
- set u p the s e c u re e n c ryption for the com m u n i c a t i o n c h a n n e l and to a u t h e n t icate the se rve r to
the cl ient.

- The fi rst t i m e a u s e r uses s s h to c o n nect to a particu l a r server, t h e s s h co m m a n d stores t h e

serve r ' s p u b l i c k e y i n t h e user's -/ . s s h / k nown_hos t s f i l e. Every t i m e t h e user c o n n ects after
that. the c l i e n t m a kes s u re it g ets the sa m e p u b l i c key from the server by compa r i n g the serve r ' s
- e n t r y i n t h e - / . s s h / known_hos t s f i l e to t h e p u b l ic k e y t h e server s e n t . I f t h e keys do not
match, t h e c l i e nt a s s u m e s that t h e n etwo r k t raffic is b e i n g h ij a c ke d or t h a t t h e server has b e e n
c o m p r o m i s e d , a n d b r e a k s the c o n n e c t i o n .
-

T h i s m e a n s t h a t if a server's p u b l i c k e y is c h a n g e d ( b e c a u s e t h e k e y was l ost d u e to h a rd

d rive fa i l u re, or re p l aced for some l e g i t i m ate reason), users w i l l need to u pdate t h e i r
-
-I . s s h / k n own_hos t s f i l es a n d re m ove t h e o l d entry i n ord e r to l o g i n .

• Host I Ds a re sto red i n -/ . s s h / kn own_hos t s o n yo u r l oca l c l ie n t syst e m :

-

I remotehost, 192 . 168 . 0 . 101 ssh- rsa AAAAB3Nzac . . .

I

$ cat -/ . ssh/known hosts

• Host keys a re stored i n /et c / s s h / s s h_ho s t_key * o n t h e S S H server.

ssh_host_dsa_key ssh_host_key ssh_host_rsa_key

-

$ ls /etc/ssh/* key*

ssh_host_dsa_key . pub ssh_host_key . pub ssh_host_rsa_key . pub

.::: '·�:"";.
- k::SJ Note
A n even better a p p roac h i s to a d d e n t r i e s m a tc h i n g a s e rve r ' s
s s h_host_ * key . pub f i l es to u s e r -/ . s s h / known_h o s t s o r t h e system w i d e
-
/ e t c / s s h / s s h_known_hos t s i n a d va n ce w h e n t h e p u b l i c keys c h a nge. See s s h ­
copy - id(1) for a n adva nced way to m a n a g e S S H keys.

- R H1 24- R H E L 7-en-1 -20140606 213

-
 -

C h a pter 9. Confi g u ri n g a n d S e c u r i n g O p e n S S H Service

-

R References
!1
lt_ _j
-

Addit i o n a l i nfo r m a t i o n may be a va i l a b l e i n t h e c h a pter on u s i n g t h e s s h u t i l ity i n t h e

Red Hat Enterprise Linux System Administrator's Guide f o r R e d H a t Enterprise L i n u x 7,
w h i c h c a n b e fo u n d at -

http://d o c s . red h a t.com/

s s h (1 ) , w(1 ) , and hos t n ame(1 ) man pages -

214 R H 1 24- R H E L7-en-1-20140606 -

-
-

P ra c t i ce: Access i n g t h e Remote C o m m a n d L i n e

-

P ract i ce: Access i n g t h e Re m ote Com m a n d

-

Line
-

Guided exercise
-

I n t h i s l a b , st udents w i l l l o g into a rem ote system a s d i ffe rent users a n d execute co m m a nds.

Outcomes:
Students w i l l log into a re m ote syste m and execute co m m a n d s with t h e O p e n S S H sec u re s h e l l .

-
D 1. L o g i n as st u d e n t o n yo u r d esktopX m a c h i n e.

D 2. s s h to yo u r serverX m a c h i n e. Accept t h e host key if a s ked. The host key i s recorded o n

o u r l o c a l m a c h i n e t o i d e nt ify the remote m a c h i n e. T h e ssh co m m a n d w i l l fa i l to execute
-
p ro p e r l y if the re m ote s s h host a p p e a rs to have a d i fferent key than t h e record e d host
key. The host key reco rd s a re stored i n the known_h o s t s file i n t h e . ssh d i rectory i n the
-
user's h o m e d i rectory o n the l oca l syste m .

[student@desktopX -]$ s s h s tudent@se rve rX

The authenticity of host ' serverX ( 172 . 25 . X . 11 ) ' can ' t be established .
ECDSA key fingerprint is 47 : bf : 82 : cd : fa : 68 : 06 : ee : d8 : 83 : 03 : 1a : bb : 29 : 14 : a3 .
Are you sure you want to continue connecting ( yes/no )? yes
-

student@serverX ' s password : s t udent

-

D 3. R u n t h e w co m m a n d . The o u t p ut of t h e w c l e a r l y i n d i cates we have logged in a s u s e r

-
student f r o m d e s ktopX.

[student@serverX -]$ - f
i-- -

11 : 01 : 23 up 1 day, 19 : 10, 1 user, load average : 0, 0, 0

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
w

student pts/1 desktopX 11 : 01 0 . 00s 0 . 12s 0 . 09s w

-

!
'-----·---�--��
-
D 4. Execute the exit com m a n d to te r m i n ate the s e c u re s h e l l connection.

[student@serverX -] $ exit
:----- --

[ student@desktopX -] $
- !
I
j

-
D 5. This t i me, ssh to yo u r serverX m a c h i n e a s user roo t .

[student@desktopX -]$ s s h root@serverX

root@serverX ' s password : redhat
[ root@serverx -]#
-

-
D 6. R u n t h e w com m a n d a g a i n . T h i s t i m e , the o u t p u t of t h e w s hows the active c o n n ec t i o n to
the root user a c c o u n t from d e s ktopX.

[ root@serverx -]# - f
11 : 01 : 23 up 1 day, 19 : 10, 1 user, load average : 0, 0, 0
-

USER TTY FROM LOGIN@ IDLE JCPU PCPU

w

- R H 1 24- R H E L 7-en-1-20140606 21 5

-
 -

C h a pter 9. Confi g u r i n g a n d S e c u r i n g O p e n S S H S e rvice

root pts/2 desktopX 11 : 09 0 . 00s 0 . 13s 0 . 08s w

-

D 7. R u n t h e exit to t e r m i n ate t h e secure s h e l l c o n n e c t i o n .

[ root@serverx -]# exit

[student@desktopX -]$
-

-
D 8. There a re different rea sons w h y a remote host m i g ht have l e g i t i m a t e l y c h a n g e d its
host key. O n e co m m o n rea s o n i s w h e n t h e remote m a c h i n e is re p l aced beca u s e of
h a rdwa re fa i l u re, o r rei n sta l l ed. U s u a l l y, it i s a d v i s a b l e to o n l y remove the key e n t ry for
-
t h e partic u l a r host i n t h e known_ho s t s . In t h i s case, t h e re is o n l y one host e n t ry in the
known_hos t s , so i t can b e removed com p l et e l y. R e m ove t h e known_hos t s f i l e for the
user st u d e nt .

[student@desktopX -]$
-

rm -/ . s s h/known_h o s t s

D 9. ssh to serverX a s root a g a i n . Accept t h e key, log i n , a n d t h e n exit the sessi o n .

[student@desktopX -]$ s s h root@serverx

The authenticity of host ' serverX ( : : 1 ) ' can ' t be established .
-

ECDSA key fingerprint is 47 : bf : 82 : cd : fa : 68 : 06 : ee : d8 : 83 : 03 : 1a : bb : 29 : 14 : a3 .

Are you sure you want to continue connecting ( yes/no )? yes
root@serverX ' s password : redhat
[ root@serverx -]# exit
-

[student@desktopX -]$
-

D 10. Use s s h n o n -i nteractive l y to r u n t h e hos t n ame com m a n d on serverX a s r o o t .

�
[student@desktopX -]$ s s h root@serverx
-

root@serverX ' s password : redhat

h o s t name

serverX . example . com -

-
216 R H 1 24- R H E L7-en-1-20140606
-

Confi g u r i n g S S H Key-based A u t h e n t i c a t i o n
-

Confi g u ri n g SS H Key- based A u t h e nt i cat i o n

-

-
Objective
After c o m p l et i n g t h i s sect i o n , s t u d e n t s s h o u l d be a b l e to set up S S H to a l l ow s e c u re l o g i n s
w i t h o u t pa sswords b y u s i n g a p rivate a u t h e ntication key f i l e.
-

SS H key- based authe ntication

U sers c a n a u t h e nticate ssh l o g i n s w i t h o u t a pa ssword by u s i n g public key authentication. s s h
-
a l l ows u s e rs to a u t h e nt i cate u s i n g a p rivate-p u b l i c key s c h e m e. T h i s m ea n s t h a t t w o keys a re
g e n e rated, a p rivate key a n d a p u b l i c key. T h e p rivate key f i l e is used a s t h e a u t h e ntication
c red e n t i a l , and l i ke a password , m u st be kept s e c ret a n d secu re. T h e p u b l ic key is copied to
-
syst e m s the user wants to log i nto, a n d i s used to verify the private key. The p u b l i c key does not
need to b e secret. A n SSH server t h a t h a s the p u b l ic key can issue a c h a l l e n g e that can o n l y
b e a n swered b y a system h o l d i n g yo u r private key. As a res u lt, y o u c a n a u t h e nt i cate u s i n g t h e
-
p resence o f yo u r key. T h i s a l l ows you to a ccess syste ms i n a way t h a t d o e s n ' t req u i re ty p i n g a
password every t i me, but is sti l l s e c u re.
-
Key g e n e ra t i o n i s d o n e u s i n g the s s h - keygen co m m a n d . T h i s g e n e rates the p rivate key
- I . s s h / id_r s a a n d the p u b l ic key -/ . s s h / id_rs a . pub.

Note
D u r i n g key g e n e ra t i o n , t h e re is t h e o pt i o n to specify a pass p h ra s e w h i c h m ust b e
-
p rovi d e d i n o rd e r to a c c e s s yo u r private key. I n t h e eve n t t h e p rivate k e y i s sto l e n ,
it i s v e r y d i ff i c u l t f o r so m e o n e o t h e r t h a n t h e i s s u e r to u s e it w h e n p rotected w i t h a
p a ss p h rase. T h i s a d d s e n o u g h of a t i m e b u ffer to m a ke a new key p a i r a n d re m ove a l l
-
refe rences t o t h e o l d keys before t h e p rivate key c a n b e used b y a n attacker w h o h a s
crac ked it.
-
It i s a l ways wise to pass p h ra s e - p rotect the p rivate key s i n ce the key a l lows a ccess to
ot h e r m a c h i nes. H owever, t h i s m e a n s the p a s s p h rase m u st b e e n t e red w h e n ever the
key i s used, m a k i n g t h e a u t h e nt i c a t i o n p rocess n o l o n g e r password-l ess. This can be
-
a vo i d e d u s i n g s sh - ag e n t , w h i c h can b e g iven you r pass p h ra s e o n ce at t h e sta rt of the
sess i o n (using s s h - ad d ) , s o it c a n p rovi d e t h e pass p h rase a s needed w h i l e you stay
l o g g e d in.
-

For a d d i t io n a l information o n the s s h - agent com m a n d , co n s u l t t h e Red Hat System

Ad m i n istra t i o n G u ide, C h a pt e r 8.2.4.2.: Config u r i n g ssh-agent.
-

Once t h e S S H keys have bee n g e n e rated, t h ey a re stored by defa u lt i n t h e . ssh/ d i rectory of

- you r home d i recto ry. Pe r m i s s i o n s s h o u l d be 600 on t h e private key and 644 o n t h e p u b l i c key.

Befo re key- based a u t h e nticat i o n ca n be u s e d , t h e p u b l i c key needs to be copied to t h e

-
dest i n a t i o n syst e m . T h i s ca n b e d o n e w i t h s s h - copy - id.

!
I [student@desktopX -]$ ssh - copy - id root@desktopY
-
!
W h e n t h e key i s copied to a n ot h e r syste m u s i n g s s h - copy - id , it copies t h e
-
I s s h / id_r s a . p u b f i l e by defa u lt.
.

- R H 1 24- R H E L 7-en-1-20140606 217

-
 -

C h a pter 9. Config u ri n g a n d S e c u r i n g O p e n S S H Service

-

SSH key d e m o n st ra t i o n
• U s e s s h - keygen to c reate a p u b l i c- p r i vate k e y p a i r. -

[student@desktopX - ] $ s s h - keygen
Generating public/private rsa key pair .
Enter file in which to save the key (/home/student/ . ssh/id_rsa) : E n t e r
-

Created directory ' /home/student/ . ssh ' .

Enter passphrase ( empty for no passphrase) : redhat
Enter same passphrase again : redhat
Your identification has been saved in /home/student/ . ssh/id rsa .
-

Your public key has been saved in /home/student/ . ssh/id_rsa . pub .

The key fingerprint is :
a4 : 49 : cf : fb : ac : ab : c8 : ce : 45 : 33 : f2 : ad : 69 : 7b : d2 : 5a student@desktopX . example . com
The key ' s randomart image is :
-

+- - [ RSA 2048 ] - - - - +
I I -

I I
I I

.
I I

++ .
-
I * s I

o.E
I I

o oo+oo
I I

. = . * * ooo
I I

+- - - - - - - - - - - - - - - - -+
-

I I

• U s e s s h - c o py - id to copy the p u b l ic key to t h e co rrect location o n a remote system. Fo r

exa m p l e :

[student@desktopX
-

- ] $ ssh - copy - id - i -/ . s s h/id_rsa . pub root@serverX . example . com

R References
Ad d i t i o n a l i nf o r m a t i o n may be a va i l a b l e i n t h e c h a pter o n u s i n g key-based -

a u t h e nt i c a t i o n i n t h e Red Hat Enterprise Linux System Administrator's Guide for Red

Hat Enterprise L i n u x 7, which c a n b e fou n d a t
http://d o cs.re d hat.com/ -

s s h - keygen(1), s s h - copy - id (1 ) , s s h - agen t (1 ) , s s h - add(1) man pages

-

218 R H 1 24 - R H EL 7-en-1-20140606
-

P ractice: U s i n g S S H Key- based A u t h e ntication

-

P ra ct i ce: U s i n g S S H Key-based Aut h e n t i ca t i o n

-

-
Guide d exercise
I n t h i s l a b, you w i l l set u p S S H key-ba sed a u t h e nticati o n .
-
O u t c o m es :
Students w i l l set up SSH u s e r key-based a u t h e n t i c a t i o n to i n itiate SSH connections.

1.
-
D C reate a n S S H key pa i r a s s t udent o n d e s ktopX using no pass p h rase.

[student@desktopX -]$ s s h - keygen

Generating public/private rsa key pair .
Enter file in which to save the key ( /home/student/ . ssh/id_rsa) :
-

Created directory ' /home/student/ . ssh ' .

Enter

Enter passphrase ( empty for no passphrase ) : E n t e r

Enter same passphrase again : E n t e r
Your identification has been saved in /home/student/ . ssh/id rsa .
-

-
Your public key has been saved in /home/student/ . ssh/id_rsa . pub .

D 2. Send the S S H p u b l ic key to the s t u d e n t a cco u nt o n s e rverX.

-

[ student@desktopX -]$ s s h - copy - id serverX

The authenticity of host ' serverX ( 172 . 25 . X . 11) ' can ' t be established .
ECDSA key fingerprint is 33 : fa : a1 : 3c : 98 : 30 : ff : f6 : d4 : 99 : 00 : 4e : 7f : 84 : 3e : c3 .
Are you sure you want to continue connecting (yes/no )? yes
-

/usr/bin/ssh -copy-id : INFO : attempting to log in with the new key ( s ) , to filter
out any that are already installed
/usr/bin/ssh - copy-id : INFO : 1 key ( s ) remain to be installed - - if you are
prompted now it is to install the new keys
-

student@serverX ' s password : student

Number of key ( s ) added : 1
-

Now try logging into the machine, with : "ssh ' student@serverX ' "
-
and check to make sure that only the key( s ) you wanted were added .

- D 3. R u n the hos t n ame c o m m a n d by u s i n g s s h to d is p l a y the host n a m e of t h e

serverX.exa m p l e.com m a c h i n e without t h e n e e d to e n t e r a password.

[student@desktopX -]$
serverX . example . com
- s s h serverX ' ho s t name '

·· ----�-------- -------·____j

- R H1 24- R H E L7-en-1-20140606 219

-
 -

C h a pter 9. Config u r i n g a n d S e c u r i n g O p e n S S H Service

-

C u sto m i z i n g SS H S e rvice Confi g u rat i o n

-

Objective -

Aft e r com p l e t i n g t h i s sect i o n , st u d e nts s h o u l d be a b l e to customize sshd confi g u ra t i o n to rest rict

d i rect log i n s a s root o r to d i s a b l e password-based a u t h e nt i c a t i o n .
-

The OpenSSH server configuration file

W h i l e OpenSS H s e rver confi g u ra t i o n u s u a l l y does not req u i re mod ifica t i o n , a d d it i o na l s e c u rity
-
m e a s u res a re ava i l a b le.

Va rio u s a s pects of t h e O p e n S S H s e rver c a n be mod ified i n t h e confi g u rat i o n f i l e

-
/ e t c / s s h / s s hd_config.

Prohibit the root user fro m logging in using SS H -

Fro m a secu rity sta n d point. it is a d v i s a b l e to p ro h i b it t h e root u s e r from d i re ct l y l o g g i n g i nto t h e
syste m with s s h .
• T h e u s e r n a m e root exists o n every L i n u x system by defa u lt, so a pote n t i a l attacker o n l y h a s t o -

g u ess t h e password , i n stead o f a va l i d u s e r n a m e a n d pa ssword c o m b i n a t i o n .

• T h e root user has u n restricted p r i v i l eges. -

T h e OpenSSH server h a s a n i ntern a l config u ra t i o n file sett i n g to pro h i b i t a system l o g i n a s user

I #PermitRootLogin yes
root. which is comme nted o u t by defa u l t i n t h e / e t c / s s h / s s hd_config f i l e :
-

By e n a b l i n g t h e p rev i o u s o p t i o n i n t h e / e t c / s s h / s s h d_config config u ra t i o n fi l e a s fo l l ows,

the root user w i l l be u n a b l e to l o g i nto t h e syste m u s i n g the s s h com m a n d after the sshd service
h a s been resta rted: -

i
I PermitRootLogin no
I -

T h e sshd service has to be resta rted to p u t the c h a n g es i n to effect:

[ root@serverX
-
1 --- -�-�---· . -··--·�·---·· .

I - ] # sys temctl res ta rt s s hd -

L
Another opt i o n is to o n l y a l l o w key-based ssh l o g i n a s root w i t h :

I PermitRootLogin without-password
-

!
-

Prohibit password authentication using SS H

O n l y a l l o w i n g key-based l o g i n s to t h e remote c o m m a n d l i n e h a s va rious advantages: -

S S H keys a re longer than a n average pa sswo rd, which adds s e c u rity.

•

• Less effort to i n itiate remote s h e l l access after t h e i n it i a l set u p.

-

T h e re is a n o pt i o n i n t h e / e t c / s s h / s s hd_config confi g u ra t i o n f i l e w h i c h t u r n s o n password

a u t h entication by defa u l t :

220 RH124- R H E L 7-en-1 -20140606 -

-
-

P ro h i bit password a u t h e ntication u s i n g S S H

-

PasswordAuthentication yes
-

To preve nt password a ut h e n t i c a t i o n , the Pas swo rdAu t h e n t ication option has to be set to no
and the sshd service needs to b e resta rted:

I PasswordAuthentication no
-

-
Keep in m i n d that w h e n ever you c h a n g e the / e t c / s s h / s s hd_config f i l e, the sshd s e rvice h a s
t o be resta rted:

[ root@serverX -]#
-
systemc t l r e s t a r t sshd

-
References
s s h(1), s s h d_config(5) m a n pages
-

- R H1 24- R H E L 7-en-1 -20140606 221

-
 -

C h a pter 9. Config u ri n g a n d S e c u r i n g O p e n S S H S e rvice

-

P ra ct i ce: Rest rict i n g SS H Log i n s

-

Guide d exercise -

I n t h i s l a b , you w i l l e n a b l e a d d ition a l s e c u rity featu res i n O p e n S S H .

Outcomes: -

Pro h i bit d i rect SSH l o g i n a s root o n serverX; p ro h i bit users from using passwords to l o g i n
t h ro u g h S S H to s e rverX; p u b l i c key a u t h e n t i c a t i o n s h o u l d sti l l b e a l l owed f o r reg u l a r u s e rs.
-
Before you begin ...
Reset t h e d e s ktopX and serverX syste ms.
-
R u n lab s s h setup o n both des kto p X a n d serverX. T h i s wi l l create a u s e r a ccount ca l l ed
vis i t o r with a password of pas swo r d .

I [student@desktopX -]$ lab s s h s e t u p -

[student@serverx -]$
'---- ������ · ��������--'

I
....__
lab ssh s e t u p -

D 1. G e n e rate SSH keys o n desktopX, copy the p u b l i c key to the s t u d e n t account o n serverX,
-
and verify t h a t t h e keys a re w o r k i n g .

D 1 .1 . G e n e rate t h e S S H keys o n desktopX.

[student@desktopX -]$ ssh - keygen

-

Generating public/private rsa key pair .

Enter file in which to save the key (/home/student/ . ssh/id_rsa) :
Created directory ' /home/student/ . ssh ' .
Enter

Enter passphrase (empty for no passphrase ) : E n t e r

-

Enter same passphrase again : E n t e r

Your identification has been saved in /home/student/ . ssh/id_rsa .
Your public key has been saved in /home/student/ . ssh/id_rsa. pub .
-

D 1 .2 . Copy t h e S S H p u b l i c k e y to t h e s t u d e n t acco u n t o n serverX.

[student@desktopX -]$ s s h - copy - id serverx

The authenticity of host ' serverx ( 172 . 25 . X . 11) ' can ' t be established .
-

ECDSA key fingerprint is 33 : fa : a1 : 3c : 98 : 30 : ff : f6 : d4 : 99 : 00 : 4e : 7f : 84 : 3e : c3 .

Are you sure you want to continue connecting ( yes/no ) ? yes -

/usr/bin/ssh-copy-id : INFO : attempting to log in with the new key( s ) , to

filter out any that are already installed
/usr/bin/ssh-copy-id : INFO : 1 key ( s ) remain to be installed - - if you are
prompted now it is to install the new keys
-

student@serverX ' s password : s t udent

Number of key ( s ) added : 1
-

Now try logging into the machine, with : " ssh ' student@serverX ' "
and check to make sure that only the key ( s ) you wanted were added . -

D 1 .3. Verify that key-based SSH a u t h e ntication i s w o r k i n g fo r user student o n serverX.

222 R H 1 24- R H E L 7-en-1-20140606 -

-
-

G u i d e d exercise
-

[student@desktopX -]$
[student@serverX -]$
s s h s t u de n t @s e rverX

D 2. Log i nto t h e s e rverX m a c h i n e a n d o bta i n s u pe r u s e r p r i v i l eg es.

[student@desktopX -]$ s s h
-

[student@serverX -]$ su -
student@serverX

Password : redhat
[ root@serverX -]#
-

- D 3. Confi g u re S S H on serverX to preve nt root l o g i ns.

D 3.1 . As u s e r root, edit / e t c / s s h / s s hd_config o n serverX so t h a t

- " Pe r m i t RootLog i n " is u nco m m e nted a n d s e t to " no."

I PermitRootLogin no
-

I [ root@serverx -]#
D 3.2. Resta rt the S S H service on the s e rverX m a c h i ne.

-
systemct l r e s t a r t sshd

- D 3.3. Confi r m that root c a n not l o g i n with S S H , b u t s t u d e n t is perm itted to log i n .

[ student@desktopX -]$ s s h root@se rverX

Password : redhat
Permission denied, please try again .
-

Password : redhat
Permission denied, please try again .
Password : redhat
Permission denied ( publickey, gssapi- keyex, gssapi-with-mic, password )
-

[ student@desktopX -]$ ssh s t udent@se rverX

[ student@serverX -]$
-

-
D 4. Confi g u re S S H on serverX to p reve nt password a u t h e ntication.

D 4.1 . Edit t h e confi g u ra t i o n f i l e / e t c / s s h / s shd_config as user root so t h a t t h e

- " Password A u t h e ntication" e n t ry i s s e t to " no " :

PasswordAuthentication no
-

I [ root@serverX -]#
D 4.2 . Resta rt t h e S S H servi ce.
-
I
systemc t l r e s t a r t sshd

-
D 4.3. C o n f i r m t hat vis i t o r ca n not log in u s i n g a password, b u t s t u d e n t i s perm itted
to log in u s i n g the SSH keys c reated e a r l i e r.

[student@desktopX -]$ s s h visitor@serverX

Permission denied ( publickey, gssapi- keyex, gssapi-with -mic ) .
-

- R H 1 24- R H E L 7-en-1-20140606 223

-
 -

C h a pter 9. Confi g u r i n g a n d S e c u r i n g O p e n S S H Service

[student@desktopX -]$
-

[student@serverx -]$
s s h s tudent@serverx

. .-

·-

-.

-
224 RH124- R H E L7 - e n -1 -20140606

-
-

Lab: Confi g u ri n g a n d S e c u r i n g O p e n S S H Service

-

L a b : Confi g u ri n g a n d S ec u ri n g O p e n SS H
-

S e rvice
-

Perfor mance checklist

-
I n t h i s l a b, you wi l l a d d secu rity m e a s u res to t h e ssh service.

O utcomes:
-
Students w i l l set u p S S H keys, confi g u re and exc l u sive l y a l low u s e r key-ba sed a ut h e n t i c a t i o n , a n d
l o c k d o w n t h e O p e n S S H service to p revent t h e root u s e r f r o m l o g g i n g i nto t h e system b y u s i n g
-
SSH.

Before you begin ...

Reset the d e s ktopX and s e rverX systems.
-

R u n lab s s h setup a s t h e s t u d e n t u s e r o n both desktopX and serverX. T h i s wi l l c reate a user

acco u nt ca l l ed vis i t o r with a password of passwor d.

[student@desktopX -]$
-

lab s s h s e t u p

[student@serverX
-

- ] $ lab s s h s e t u p

-
U n l ess specified, a l l steps are to b e perfo r m e d a s user vis i t o r .

1. G e n e rate S S H keys o n d e s k t o p X f o r u s e r v i s i t o r a n d c o p y t h e p u b l ic k e y to t h e visit o r

-
a c c o u n t on se rve rX.

2. D i s a b l e ssh l o g i n for t h e root u s e r a n d password-based S S H a u t h e ntication on se rve rX.

-

3. Ve rify that user root is not a l l owed to l o g i n to se rve rX by u s i n g s s h , w h i l e user vis itor is w i t h
t h e p rivate key.
-

- R H 1 24- R H E L 7-en-1-20140606 225

-
 -

C h a pter 9. Confi g u ri n g a n d S e c u r i n g O p e n S S H S e rvice

-

Solution
-

I n t h i s l a b , you w i l l add secu rity mea s u res to t h e s s h se rvice.

Outcomes: -

S t u d e nts w i l l set u p SSH keys, confi g u re and exc l u s ive l y a l l ow u s e r key- based a ut h e n t i c a t i o n , a n d
l o c k down t h e O p e n S S H service to p reve nt t h e root u s e r from l o g g i n g i nto t h e syste m b y u s i n g
SSH. -

Before you begin. . .

Reset t h e d e s ktopX a n d s e rverX syst e m s . -

R u n l a b s s h s e t u p a s t h e s t u d e n t u s e r on both desktopX a n d s e r v e r X . T h i s w i l l c reate a user

account ca l l e d visit o r with a password of passwo r d . -

[student@desktopx - ] $ lab s s h s e t u p
-

[ student@serverx - ] $ lab s s h s e t u p
-

U n l ess specified, a l l steps a re to be p e rformed a s user visi t o r .

1. G e n e rate S S H keys o n d e s ktopX f o r u s e r v i s itor a n d copy t h e p u b l i c key t o t h e vis i t o r -

acco u n t o n se rve rX.

1 .1 . G e n e rate a S S H p u b l i c key o n d e s ktopX a s u s e r visitor. -

�i sitor@desktopX - ] $ s s h - keygen
-

1 .2 . I nsta l l the SSH p u b l i c key g e n e rated p rev i o u s l y o n d e s kto p X to t h e visit o r acco u n t o n

serve r X .
-

[visitor@desktopX - ] $ s s h - copy - id serverX

The authenticity of host ' serverx ( 172 . 25 . X . 11) ' can ' t be established .
ECDSA key fingerprint is xx : xx : xx : xx : xx : xx : xx : xx : xx : xx : xx : xx : xx : xx : xx : xx .
Are you sure you want to continue connecting ( yes/no )? yes
-

/usr/bin/ssh-copy-id : INFO : attempting to log in with the new key( s ) , to filter

out any that are already installed
/usr/bin/ssh -copy-id : INFO : 1 key ( s ) remain to be installed - - if you are
prompted now it is to install the new keys
-

visitor@serverX ' s password : passwo rd

Number of key ( s ) added : 1
-

Now try logging into the machine, with : " ssh ' visitor@serverX ' "
and check to make sure that only the key ( s ) you wanted were added . -

-
2. Disa b l e s s h l o g i n for t h e root u s e r a n d password-based S S H a ut h e nt i c a t i o n on serverX.

2 .1 . Log i nt o t h e s e rverX v i rt u a l m a c h i n e a s user root.

-

! [visitor@desktopX - ] $ ssh root@serverX

-

226 R H 1 24- R H E L 7-en-1-20140606 -

-
-

Solution
-

2 . 2 . Custo m i z e t h e s s h s e rvice o n serverX by d i sa b l i n g S S H c o n n e c t i o n s for t h e u s e r root

a n d o n l y a l l ow key- based l o g i n.
-

Set t h e n ecessa ry config f i l e para m et e rs i n / e t c / s s h / s s hd_config:

PermitRootLogin no
PasswordAuthentication no
-

-
2.3. Restart t h e s s h d service o n serve rX.

I
i [ root@serverx -]# systemctl r e s t a r t sshd
-
I

3. Ve rify that user root i s n ot a l l owed to l o g i n to serverX by using s s h , w h i l e user v i s itor i s with
- t h e p rivate key.

3.1 . O n a d iffe rent term i n a l w i n dow on d e s ktopX, va l idate that u s e r root ca n not con nect to
- s e rverX w i t h t h e s s h com m a n d . I t s h o u l d fa i l beca use we d i s a b l e d root l o g i n s with t h e
ssh se rvice.

[visitor@desktopX - ] $ s s h root@serverx
Permission denied ( publickey, gssapi- keyex, gssapi-with-mic ) .
-

-
3.2. Try l o g g i n g i n a s user student to se rve r X from d e s ktopX by u s i n g ssh. I t s h o u l d fa i l
because we d i d n ot a d d t h e p u b l i c key from t h a t u s e r t o t h e student acco u nt o n t h e
serverX m a c h i ne.

[visitor@desktopX - ] $ s s h st udent@se rverx

-

-
Permission denied ( publickey, gssapi- keyex, gssapi-with-mic ) .
3.3. Ve rify t h e s s h service i s sti l l accept i n g key-based a ut h e ntication by su ccessf u l l y
-
connect i n g t o serve r X a s user visitor w i t h t h e s s h c o m m a n d .

[visitor@desktopX - ] $
[visitor@serverX - ] $
s s h visito r@serverX
-

- RH124- R H E L 7-en-1 -20140606 227

-
 -

C h a pter 9. Confi g u r i n g a n d S e c u r i n g O p e n S S H Service

-

S u m m a ry
-

Access i n g t h e Remote Co m m a n d Line with S S H

T h e O p e n S S H s e rvice i s t h e sta n d a rd software to s e c u r e l y access t h e re mote c o m m a n d
-
l i ne.

Config u r i n g S S H Key-based A u t h e ntication

-
U t i l i z i n g key- based S S H a u t h e ntication adds a d d i t i o n a l secu rity to re m ote syste m s
a d m i n i st ra t i o n .

-
Custo m i z i n g S S H S e rvice Confi g u ration
The confi g u ra t i o n of t h e OpenSSH s e rvice, sshd, c a n be c h a n g e d by editing t h e f i l e I
etc/ssh/s s h d_co nfig a n d resta rt i n g t h e service w i t h systemct l .
-

228 R H 1 24- R H E L7 - e n -1-20140606 -