Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
®
TRAINING
C HA PT E R 8
Overview
Objectives
-
Aft e r com p l et i n g t h i s sect i o n , st u d e nts s h o u l d be a b l e to l ist syst e m d a e m o n s a n d network
se rvices started by t h e syst emd service and soc ket u n its.
-
Daemons a re p rocesses t h a t wa it o r r u n i n the backg ro u n d perfo r m i n g va r i o u s tasks. G e n e ra l l y,
d a e m o n s start a utomatica l l y at boot t i m e a n d cont i n u e to r u n u n t i l s h utdown or u n t i l t h ey a re
m a n u a l l y stopped. By conve n t i o n , t h e n a mes of m a ny d a e m o n progra m s e n d i n t h e l etter " d " .
A b i t of h i story
Fo r many years, p rocess ID 1 of L i n u x and U N I X syste m s has been t h e init p rocess. T h i s p rocess
was res p o n s i b l e fo r activat i n g ot h e r se rvices o n t h e system and i s t h e o r i g i n of t h e term "in it
syste m ." Fre q u e n t l y used d a e m o n s were started o n syste m s a t boot time with System V a n d
LSB i n it scri pts. These a re s h e l l s c r i pts, a n d m a y vary from o n e d i st r i b ut i o n to a not h e r. Less
-
freq u e n t l y used daemons we re started o n demand by another service, such a s initd or
xinetd, which l i stens for c l i e n t con n e c t i o n s. These syste m s have seve ra l l i m itat ions, which a re
a d d ressed with syste m d . -
-
196 R H 1 24- R H E L7-en-1-20140606
-
-
I nt ro d u c t i o n to syst emd
-
--��-. .
"'..._ /-
Note
- �
W i t h syste m d , s h e l l-based service s c r i pts a re used o n l y for a few l e g a cy s e rv i ces.
T h e refore, config u ration f i l e s with s h e l l va r i a b l es , such a s those fou n d i n
/ e t c / sysconfig, a re b e i n g r eplaced. Those st i l l i n u s e a re i n c l u d e d as syste m d
e n v i ro n m e n t f i l e s a n d r e a d a s N A M E = VA L U E pa i rs. T h e y a re n o l o n g e r sou rced a s a
s h e l l s c r i pt .
-
-
Important
T h e sys t emc t l may a b b reviate or " e l l i ps i z e " u n it n a mes, p rocess t ree e n t ries, a n d
- u n it d e s c r i pt i o n s u n l ess r u n w i t h t h e 1 o p t i o n .
-
• Service u n its have a .service exte n s i o n and re p resent system services. T h i s type of u n it i s used
to sta rt freq u e nt l y a ccessed daemons, such a s a web s e rver.
-
Service states
-
The sta t u s of a service can be viewed with sys t emc t l s t a t u s name . type. I f the u n it type i s
not p rov i d e d , sys t e m c t l wi l l show t h e stat u s of a s e r v i c e u n it, if o n e exists.
Feb 27 11 : 51 : 39 servers . example . com sshd [1S73] : Could not load host key : /et . . . y
Feb 27 11 : 51 : 39 servers . example . com sshd [1S73] : Server listening on s . s . s . s . . . .
-
Feb 27 11 : 51 : 39 servers . example . com sshd [1S73] : Server listening on : : port 22 .
Feb 27 11 : 53 : 21 servers . example . com sshd [127S] : error : Could not load host k . . . y
Feb 27 11 : 53 : 22 servers . example . com sshd [127S] : Accepted password for root f . . . 2
- Hint : Some lines were ellipsized, use - 1 to show in full .
Severa l keywords i n d i ca t i n g t h e state of t h e se rvice c a n be fo u n d i n t h e status output:
-
-
-
C h a pter 8. C o n t ro l l in g S e rvices a n d D a e m o n s
-
Keywo rd : Desc r i p t i o n :
loaded U n it config u ra t i o n file h a s been p rocesse d .
active (ru n n i n g ) R u n n i n g w i t h o n e o r more cont i n u i n g p rocesses.
active (ex ited) S u ccessfu l l y com p l eted a one-time confi g u ra t i o n .
a c t i v e (wa i t i n g ) R u n n i n g but wait i n g f o r a n eve nt.
i n a cti ve N ot r u n n i n g .
enabled W i l l b e started a t b o o t t i me.
d i sa b l ed W i l l not be started at boot t i m e.
-
Note
The sys t em c t l s t a t u s NAME c o m m a n d re p l a ces t h e se rvice NAME status
com m a n d u s e d i n p rev i o u s vers i o n s of Red H a t Enterprise L i n u x .
Note
Notice t h a t t h e systemctl com m a n d w i l l a utomatica l ly p a g i nate t h e o u t p u t w i t h
less.
o pt i o n to s h ow t h e f u l l output.
[ root@serverX -]#
-� --- ------ ·---- - --�
[ root@serverX -]#
---------- --- ··-·--- -
· �- - -· · - ----·· --- - --- - ��-- -
[ root@serverX -]#
systemc t l is - active s s h d
systemct l is - enabled sshd
--- �------- - --�
-
198 R H 1 24- R H E L7-en-1-20140606
-
-
L i s t i n g u n it f i l e s w i t h syst emc t l
-
[ root@serverx -]#
-
[ root@serverx -]#
syst emc t l list - units - - type=se rvice
sys temctl list - un i t s - - type=service - - all
-
[ root@serverX -]#
-
-
7. View o n l y fa i l ed services.
-
[ root@serverX -]# systemc t l - - failed - - type=se rvice
- R References
sys t emd(l ), syst emd . u n i t ( S ) , syst emd . service(S), syst emd . soc k e t ( S ) , a n d
sys t emct l(1 ) m a n pages
-
-
-
C h a pter 8. C o n t ro l l i n g Services a n d D a e m o n s
Guide d exercise -
-
Before you begin ..•
I [ student@serverx
-
-
D 3. E x p l o re t h e status of t h e c h r o nyd service. T h i s service is used for network t i m e
syn c h ro n izat i o n ( N T P).
d a e m o ns.
I [student@serverx - ] $ ps - p PID
-
[ [student@serverx
i nfor m a t i o n .
-
- ] $ s u d o systemct l is - act ive sshd
-
-
G u i d e d exercise
-
-
[student@serverX -]$ sudo sys temctl list - unit - files - - type=se rvice
-
-
Objectives -
I [ root@serverx -]#
1. View t h e s t a t u s of a se rvice.
.
--- �-==-----i
-
�-��--- - �--- ----��- - - ---��--------�---�·
systemctl s t a t u s s s h d . se rvice
;,___ ___�
2. Verify t h a t t h e p rocess is r u n n i n g . -
[ root@serverx -]#
r---- - -----
-- ---�
----- - ---------- ------- --- -
---
j ps - up PIO
'
-
[ root@serverX -]# -
[ root@serverX -]#
systemc t l s t o p sshd . se rvice
systemct l s t a t u s s s h d . se rvice
-
4. Start the s e rvice a n d view the status. The p rocess ID has c h a nged.
[ root@serverX -]#
[ root@serverX -]#
systemc t l s t a r t sshd . service -
systemc t l s t a t u s s s h d . se rvice
[ root@serverx -]#
[ root@serverx -]#
systemc t l r e s t a r t sshd . se rvice
systemc t l s t a t u s s s h d . se rvice -
[ root@serverx -]#
systemc t l reload s s h d . s e rvice -
systemc t l s t a t u s s s h d . se rvice
------- ------�
-
202 R H 1 24- R H E L 7-e n-1-20140606
-
-
...
Unit dependencies
S e rvices may be started a s d e p e n d e n cies of other services. I f a soc ket u n it is e n a b l e d a n d the
-
service u n it with t h e same name i s n ot, t h e service will a ut o m a t ica l l y be sta rted when a req u est
is made o n the n etwo r k socket. S e r v i ces m a y a l so be t r i g g e red by path u n its when a file system
condition is met. Fo r exa m p l e, a fi l e p l aced i nto t h e print spool d i rectory w i l l ca u s e t h e cups p r i n t
-
s e r v i c e to be started if it i s not r u n n i n g .
cups . socket
-
M a s k i n g services
At t i m es, a system m a y have c o n f l i ct i n g services i n sta l l ed . Fo r exa m p l e, t h e re a re m u l t i p l e
-
methods t o m a n a g e networks ( n etwork a n d N etwork M a n a g e r) a n d fi rewa l l s (ipta b l es a n d
fi rewa l l d). To preve nt a n a d m i n istrator from a c c i d e nta l l y sta r t i n g a se rvice, that service m a y b e
-
masked. M a s k i n g w i l l c reate a l i n k i n t h e config u ra t i o n d i rectories s o t h a t i f t h e service is sta rted,
n ot h i n g will h a p p e n .
-
Important
A d i s a b l e d service w i l l n ot be sta rted a utomatica l l y at boot or by other u n it f i l es ,
b u t c a n be s t a r t e d m a n u a l l y. A masked s e r v i c e c a n not b e started m a n ua l l y o r
- a utomatica l l y.
-
C h a pter 8. Contro l l i n g Services a n d Daemons
Task: Command:
:1 '
fR I Refe re n ces
sys t emd(1 ) , syst emd . uni t ( 5 ) , s y s temd . s e rvic e ( 5 ) , s y s t emd . socket ( 5 ) , a n d
syst emc t l(1) m a n pages
S e rvi ces
-
Guide d exercise
- I n t h i s l a b, you w i l l m a n a g e a service u n it t h a t is a l ready i nsta l l ed on t h e system.
Outcomes:
- The c h r o nyd service i s d i s a b l ed and no l o n g e r r u n n i n g o n t h e syste m .
-
0 1 .1 . D i s p l ay t h e status o f t h e s s h d s e rvice. N ote t h e process I D o f t h e d a e m o n .
-
[ student@serverx -]$ s u d o systernc t l s t a t u s sshd
0 1.2. Restart t h e s s h d service and view t h e stat us. The p rocess ID of t h e daemon has
- changed.
[student@serverx -]$
[student@serverX -]$
s u d o systernc t l r e s t a r t sshd
- sudo systernct l s t a t u s sshd
0 1.3. Reload t h e sshd service and view t h e status. The p rocess ID of t h e daemon has
-
not c h a n g ed a n d c o n n ect i o n s have n ot been interru pted.
[student@serverx -]$
[student@serverx -]$
sudo systernctl reload sshd
-
sudo systernctl status sshd
[ student@serverX -]$
[student@serverX -]$
-
sudo sys ternctl s t op c h ronyd
sudo syst ernct l s t a t u s c h ronyd
-
!
j
!
[ student@serverx -]$ sudo systernct l is - enabled c h ronyd
-
-
C h a pter 8. C o n t ro l l i n g Services a n d D a e m o n s
-
[student@serverX -)$
[ student@serverx -]$
sudo systemc t l disable c h ronyd
sudo syst emc t l s t a t u s c h ronyd -
[ student@serverX -)$
-
-
206 R H124-R H EL 7-en-1-20140606
-
-
L a b : Contro l l i n g Services a n d D a e m o n s
-
La b: Co nt ro l l i n g Servi ces a n d D a e m o n s
-
-
Perfor mance checklist
I n t h i s l a b, you w i l l m a n a g e a service u n it t h a t is a l ready i n sta l l ed on t h e system.
-
Outcomes:
T h e psacct service i s e n a b l e d and r u n n i n g o n t h e syst e m , and t h e r syslog service i s d i s a b l e d
a n d n o l o n g e r ru n n i n g o n t h e syste m .
-
-
-
Solution
-
O ut c o m e s :
T h e psacct service i s e n a b l e d and r u n n i n g o n the system , and the r syslog service i s d i s a b l ed
a n d n o l o n g e r r u n n in g o n t h e syste m .
-
Before you begin ...
Reset you r serverX syst e m .
-
1. S t a r t t h e p s ac c t service.
[ student@serverX
[student@serverX
- ] $ sudo systemc t l s t a r t psacct -
-
2. Conf i g u re t h e psac c t service so t h a t it starts at system boot.
[student@serverX
[student@serverX
- ] $ s u d o systemctl enable psacct
-
- ] $ sudo systemct l status psacct
[student@serv erX
[student@serverX
- ] $ s u d o systemctl s t o p r syslog
L .
- ] $ sudo systemctl s t a t u s rsyslog
[student@serverX
-
[ student@serverx
- ] $ sudo systemct l disable rsy slog
- ] $ sudo systemc t l s t a t u s r syslog
-
[student@serverX
-
Solution
-
S u m m a ry
-
C o n t ro l l i n g System Services
Start, stop, and e n a b l e se rvices u s i n g syst emc t l.
-
-
I
,...
.
.,
I
�
I
_....,
210
�
red h at®
® TRAINING
C H A PT E R 9
Overview
SS H
-
Objective
Aft e r c o m p l e t i n g t h i s sect i o n , st u d e nts s h o u l d be a b l e to l o g i n to a re mote system u s i n g s s h to -
syste m . I f you have a u s e r account o n a re mote L i n u x syste m p rovi d i n g SSH services, ssh i s t h e
c o m m a n d n o r m a l l y used to remote l y l o g i nto t h a t syste m . T h e s s h com m a n d can a l s o b e used to
run an i n d i v i d u a l com m a n d o n a re mote system. -
[student@host - ] $ s s h remotehost
r ------------------- ------ -
C o n n ect t o a remote s h e l l a s a d iffe rent user ( remo t e u s e r ) o n a s e l ected host ( remo t ehos t ) :
i
[student@host - ] $
L_ _,_�--��- �- -�----1
T h e w com m a n d d i s p l ays a l i st of u s e rs c u rrent l y l o g g e d i n to t h e computer. T h i s is e s p e c i a l l y
-
[ student@host
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
-]$ -f -
S S H host keys
-
SS H host keys
S S H sec u re s com m u n ication t h ro u g h p u b l ic-key e n crypt i o n . W h e n a n s s h c l ient c o n n ects to a n
S S H server, before t h e c l ient l o g s i n , t h e server s e n d s i t a copy of its public key. T h i s i s u se d to
- set u p the s e c u re e n c ryption for the com m u n i c a t i o n c h a n n e l and to a u t h e n t icate the se rve r to
the cl ient.
$ ls /etc/ssh/* key*
.::: '·�:"";.
- k::SJ Note
A n even better a p p roac h i s to a d d e n t r i e s m a tc h i n g a s e rve r ' s
s s h_host_ * key . pub f i l es to u s e r -/ . s s h / known_h o s t s o r t h e system w i d e
-
/ e t c / s s h / s s h_known_hos t s i n a d va n ce w h e n t h e p u b l i c keys c h a nge. See s s h
copy - id(1) for a n adva nced way to m a n a g e S S H keys.
-
-
R References
!1
lt_ _j
-
-
-
Line
-
Guided exercise
-
I n t h i s l a b , st udents w i l l l o g into a rem ote system a s d i ffe rent users a n d execute co m m a nds.
Outcomes:
Students w i l l log into a re m ote syste m and execute co m m a n d s with t h e O p e n S S H sec u re s h e l l .
-
D 1. L o g i n as st u d e n t o n yo u r d esktopX m a c h i n e.
[student@serverX -]$ - f
i-- -
!
'-----·---�--��
-
D 4. Execute the exit com m a n d to te r m i n ate the s e c u re s h e l l connection.
[student@serverX -] $ exit
:----- --
[ student@desktopX -] $
- !
I
j
-
D 5. This t i me, ssh to yo u r serverX m a c h i n e a s user roo t .
-
D 6. R u n t h e w com m a n d a g a i n . T h i s t i m e , the o u t p u t of t h e w s hows the active c o n n ec t i o n to
the root user a c c o u n t from d e s ktopX.
[ root@serverx -]# - f
11 : 01 : 23 up 1 day, 19 : 10, 1 user, load average : 0, 0, 0
-
- R H 1 24- R H E L 7-en-1-20140606 21 5
-
-
-
D 8. There a re different rea sons w h y a remote host m i g ht have l e g i t i m a t e l y c h a n g e d its
host key. O n e co m m o n rea s o n i s w h e n t h e remote m a c h i n e is re p l aced beca u s e of
h a rdwa re fa i l u re, o r rei n sta l l ed. U s u a l l y, it i s a d v i s a b l e to o n l y remove the key e n t ry for
-
t h e partic u l a r host i n t h e known_ho s t s . In t h i s case, t h e re is o n l y one host e n t ry in the
known_hos t s , so i t can b e removed com p l et e l y. R e m ove t h e known_hos t s f i l e for the
user st u d e nt .
[student@desktopX -]$
-
rm -/ . s s h/known_h o s t s
[student@desktopX -]$
-
�
[student@desktopX -]$ s s h root@serverx
-
-
216 R H 1 24- R H E L7-en-1-20140606
-
Confi g u r i n g S S H Key-based A u t h e n t i c a t i o n
-
-
Objective
After c o m p l et i n g t h i s sect i o n , s t u d e n t s s h o u l d be a b l e to set up S S H to a l l ow s e c u re l o g i n s
w i t h o u t pa sswords b y u s i n g a p rivate a u t h e ntication key f i l e.
-
Note
D u r i n g key g e n e ra t i o n , t h e re is t h e o pt i o n to specify a pass p h ra s e w h i c h m ust b e
-
p rovi d e d i n o rd e r to a c c e s s yo u r private key. I n t h e eve n t t h e p rivate k e y i s sto l e n ,
it i s v e r y d i ff i c u l t f o r so m e o n e o t h e r t h a n t h e i s s u e r to u s e it w h e n p rotected w i t h a
p a ss p h rase. T h i s a d d s e n o u g h of a t i m e b u ffer to m a ke a new key p a i r a n d re m ove a l l
-
refe rences t o t h e o l d keys before t h e p rivate key c a n b e used b y a n attacker w h o h a s
crac ked it.
-
It i s a l ways wise to pass p h ra s e - p rotect the p rivate key s i n ce the key a l lows a ccess to
ot h e r m a c h i nes. H owever, t h i s m e a n s the p a s s p h rase m u st b e e n t e red w h e n ever the
key i s used, m a k i n g t h e a u t h e nt i c a t i o n p rocess n o l o n g e r password-l ess. This can be
-
a vo i d e d u s i n g s sh - ag e n t , w h i c h can b e g iven you r pass p h ra s e o n ce at t h e sta rt of the
sess i o n (using s s h - ad d ) , s o it c a n p rovi d e t h e pass p h rase a s needed w h i l e you stay
l o g g e d in.
-
!
I [student@desktopX -]$ ssh - copy - id root@desktopY
-
!
W h e n t h e key i s copied to a n ot h e r syste m u s i n g s s h - copy - id , it copies t h e
-
I s s h / id_r s a . p u b f i l e by defa u lt.
.
-
-
SSH key d e m o n st ra t i o n
• U s e s s h - keygen to c reate a p u b l i c- p r i vate k e y p a i r. -
[student@desktopX - ] $ s s h - keygen
Generating public/private rsa key pair .
Enter file in which to save the key (/home/student/ . ssh/id_rsa) : E n t e r
-
+- - [ RSA 2048 ] - - - - +
I I -
I I
I I
.
I I
++ .
-
I * s I
o.E
I I
o oo+oo
I I
. = . * * ooo
I I
+- - - - - - - - - - - - - - - - -+
-
I I
[student@desktopX
-
R References
Ad d i t i o n a l i nf o r m a t i o n may be a va i l a b l e i n t h e c h a pter o n u s i n g key-based -
218 R H 1 24 - R H EL 7-en-1-20140606
-
-
Guide d exercise
I n t h i s l a b, you w i l l set u p S S H key-ba sed a u t h e nticati o n .
-
O u t c o m es :
Students w i l l set up SSH u s e r key-based a u t h e n t i c a t i o n to i n itiate SSH connections.
1.
-
D C reate a n S S H key pa i r a s s t udent o n d e s ktopX using no pass p h rase.
-
Your public key has been saved in /home/student/ . ssh/id_rsa . pub .
/usr/bin/ssh -copy-id : INFO : attempting to log in with the new key ( s ) , to filter
out any that are already installed
/usr/bin/ssh - copy-id : INFO : 1 key ( s ) remain to be installed - - if you are
prompted now it is to install the new keys
-
Now try logging into the machine, with : "ssh ' student@serverX ' "
-
and check to make sure that only the key( s ) you wanted were added .
[student@desktopX -]$
serverX . example . com
- s s h serverX ' ho s t name '
·· ----�-------- -------·____j
-
-
Objective -
I #PermitRootLogin yes
root. which is comme nted o u t by defa u l t i n t h e / e t c / s s h / s s hd_config f i l e :
-
i
I PermitRootLogin no
I -
[ root@serverX
-
1 --- -�-�---· . -··--·�·---·· .
L
Another opt i o n is to o n l y a l l o w key-based ssh l o g i n a s root w i t h :
I PermitRootLogin without-password
-
!
-
-
-
PasswordAuthentication yes
-
To preve nt password a ut h e n t i c a t i o n , the Pas swo rdAu t h e n t ication option has to be set to no
and the sshd service needs to b e resta rted:
I PasswordAuthentication no
-
-
Keep in m i n d that w h e n ever you c h a n g e the / e t c / s s h / s s hd_config f i l e, the sshd s e rvice h a s
t o be resta rted:
[ root@serverX -]#
-
systemc t l r e s t a r t sshd
-
References
s s h(1), s s h d_config(5) m a n pages
-
-
-
Guide d exercise -
Outcomes: -
Pro h i bit d i rect SSH l o g i n a s root o n serverX; p ro h i bit users from using passwords to l o g i n
t h ro u g h S S H to s e rverX; p u b l i c key a u t h e n t i c a t i o n s h o u l d sti l l b e a l l owed f o r reg u l a r u s e rs.
-
Before you begin ...
Reset t h e d e s ktopX and serverX syste ms.
-
R u n lab s s h setup o n both des kto p X a n d serverX. T h i s wi l l create a u s e r a ccount ca l l ed
vis i t o r with a password of pas swo r d .
[student@serverx -]$
'---- ������ · ��������--'
I
....__
lab ssh s e t u p -
D 1. G e n e rate SSH keys o n desktopX, copy the p u b l i c key to the s t u d e n t account o n serverX,
-
and verify t h a t t h e keys a re w o r k i n g .
Now try logging into the machine, with : " ssh ' student@serverX ' "
and check to make sure that only the key ( s ) you wanted were added . -
-
-
G u i d e d exercise
-
[student@desktopX -]$
[student@serverX -]$
s s h s t u de n t @s e rverX
[student@desktopX -]$ s s h
-
[student@serverX -]$ su -
student@serverX
Password : redhat
[ root@serverX -]#
-
I PermitRootLogin no
-
I [ root@serverx -]#
D 3.2. Resta rt the S S H service on the s e rverX m a c h i ne.
-
systemct l r e s t a r t sshd
Password : redhat
Permission denied, please try again .
Password : redhat
Permission denied ( publickey, gssapi- keyex, gssapi-with-mic, password )
-
-
D 4. Confi g u re S S H on serverX to p reve nt password a u t h e ntication.
PasswordAuthentication no
-
I [ root@serverX -]#
D 4.2 . Resta rt t h e S S H servi ce.
-
I
systemc t l r e s t a r t sshd
-
D 4.3. C o n f i r m t hat vis i t o r ca n not log in u s i n g a password, b u t s t u d e n t i s perm itted
to log in u s i n g the SSH keys c reated e a r l i e r.
-
-
[student@desktopX -]$
-
[student@serverx -]$
s s h s tudent@serverx
. .-
·-
-.
-
224 RH124- R H E L7 - e n -1 -20140606
-
-
L a b : Confi g u ri n g a n d S ec u ri n g O p e n SS H
-
S e rvice
-
O utcomes:
-
Students w i l l set u p S S H keys, confi g u re and exc l u sive l y a l low u s e r key-ba sed a ut h e n t i c a t i o n , a n d
l o c k d o w n t h e O p e n S S H service to p revent t h e root u s e r f r o m l o g g i n g i nto t h e system b y u s i n g
-
SSH.
[student@desktopX -]$
-
lab s s h s e t u p
[student@serverX
-
- ] $ lab s s h s e t u p
-
U n l ess specified, a l l steps are to b e perfo r m e d a s user vis i t o r .
3. Ve rify that user root is not a l l owed to l o g i n to se rve rX by u s i n g s s h , w h i l e user vis itor is w i t h
t h e p rivate key.
-
-
-
Solution
-
Outcomes: -
S t u d e nts w i l l set u p SSH keys, confi g u re and exc l u s ive l y a l l ow u s e r key- based a ut h e n t i c a t i o n , a n d
l o c k down t h e O p e n S S H service to p reve nt t h e root u s e r from l o g g i n g i nto t h e syste m b y u s i n g
SSH. -
[student@desktopx - ] $ lab s s h s e t u p
-
[ student@serverx - ] $ lab s s h s e t u p
-
�i sitor@desktopX - ] $ s s h - keygen
-
Now try logging into the machine, with : " ssh ' visitor@serverX ' "
and check to make sure that only the key ( s ) you wanted were added . -
-
2. Disa b l e s s h l o g i n for t h e root u s e r a n d password-based S S H a ut h e nt i c a t i o n on serverX.
-
-
Solution
-
PermitRootLogin no
PasswordAuthentication no
-
-
2.3. Restart t h e s s h d service o n serve rX.
I
i [ root@serverx -]# systemctl r e s t a r t sshd
-
I
3. Ve rify that user root i s n ot a l l owed to l o g i n to serverX by using s s h , w h i l e user v i s itor i s with
- t h e p rivate key.
3.1 . O n a d iffe rent term i n a l w i n dow on d e s ktopX, va l idate that u s e r root ca n not con nect to
- s e rverX w i t h t h e s s h com m a n d . I t s h o u l d fa i l beca use we d i s a b l e d root l o g i n s with t h e
ssh se rvice.
[visitor@desktopX - ] $ s s h root@serverx
Permission denied ( publickey, gssapi- keyex, gssapi-with-mic ) .
-
-
3.2. Try l o g g i n g i n a s user student to se rve r X from d e s ktopX by u s i n g ssh. I t s h o u l d fa i l
because we d i d n ot a d d t h e p u b l i c key from t h a t u s e r t o t h e student acco u nt o n t h e
serverX m a c h i ne.
-
Permission denied ( publickey, gssapi- keyex, gssapi-with-mic ) .
3.3. Ve rify t h e s s h service i s sti l l accept i n g key-based a ut h e ntication by su ccessf u l l y
-
connect i n g t o serve r X a s user visitor w i t h t h e s s h c o m m a n d .
[visitor@desktopX - ] $
[visitor@serverX - ] $
s s h visito r@serverX
-
-
-
S u m m a ry
-
-
Custo m i z i n g S S H S e rvice Confi g u ration
The confi g u ra t i o n of t h e OpenSSH s e rvice, sshd, c a n be c h a n g e d by editing t h e f i l e I
etc/ssh/s s h d_co nfig a n d resta rt i n g t h e service w i t h systemct l .
-