Lead Image © Fotoflash,Fotolia.com

Lead Image © Fotoflash,Fotolia.com

The top three SSH tricks

Security Skills

Article from ADMIN 40/2017
By
Add extra security to your SSH service, securely copy files to and from remote computers, and configure passwordless SSH for automation scripting.

Secure Shell (SSH) is more than a simple remote connectivity protocol. The SSH utility is one of the most versatile tools in your administrative toolbox. You can use SSH to copy files securely, and you can even build it into automation scripts.

Trick 1: Configuring a More Secure SSH

Although SSH is secure in a default installation, you can make some tweaks to provide an even more secure environment. The parameters to change are located in /etc/ssh/sshd_config. The first security change is to deny root user logins by finding the line

PermitRootLogin Yes

and changing the Yes to No.

If you have a limited number of users (fewer than 10), you can use the AllowUsers entry to limit which users can use SSH to connect to the server. Remember to include yourself on the user list, which is space delimited:

AllowUsers bob admin fred joe

If you have more than 10 users or if you choose to manage by groups, create an sshusers or similar group and add users as needed:

$ sudo groupadd --r sshusers
$ sudo usermod --a --G sshusers bob

In sshd_config, use the AllowGroups directive with your group name,

AllowGroups sshusers

and restart the SSH daemon:

$ sudo service ssh restart

For systemd servers, use either of the following commands:

$ sudo systemctl restart sshd
$ sudo systemctl restart ssh

A final change to enhance SSH security on your network is to allow SSH sessions to originate only from a single server, often known as a "jump" server. This change is outside of the SSHD configuration and only involves limiting the allowed IP address through iptables by entering the command

$ sudo iptables -A INPUT -p tcp -s [IP address of allowed server] --dport 22 -j ACCEPT

on the server to which you want to SSH.

Trick 2: Copying Files Securely

The SSH protocol also includes Secure Copy (SCP) and Secure FTP (SFTP), which let you copy files securely to and from remote computers. For example, the following command copies file.txt to a specific path on a remote system:

scp file.txt <user>@<remote_server>:/<path>/file.txt

A more specific example is shown in Listing 1.

Listing 1

SCP Example

scp file.txt bob@calypso:/opt/test/file.txt
bob@calypso's password:
file.txt                                       100%    0     0.0KB/s   00:00

To copy a file from a remote system, change the syntax slightly:

scp bob@calypso:/opt/test/file.txt .

The trailing dot means the copy is to the current directory on the local system.

SFTP works like FTP at the command line: You can transfer one file or many with the use of wild cards, and you can put and get files (Listing 2).

Listing 2

Secure FTP

# Initiate an SFTP session; the system will ask for user@remote_server's password
 $ sftp user@remote_server
# Send files to a remote server
sftp> put file.txt
sftp> put file.txt new.txt test.txt
sftp> mput *.txt
# Get files from a remote server
sftp> get file.txt
sftp> get file.txt new.txt test.txt
sftp> mget *.txt

Trick 3: Passwordless SSH Connections

Often, it is convenient to connect from one system to another without using a password, especially to initiate automated tasks. If you don't use a shared key setup, your scripts will have to contain passwords, which is a security risk. You might think that passwordless SSH is also a security risk, and it would be, except that you can control the systems to which a user account can connect, which increases security.

In the example here, the content of a local file is concatenated to a remote file. The file need not already exist on the remote system, but if it does, a redirect (>>) will append to the end of the remote file, rather than overwriting it.

To begin, you use SSH to connect to every host to which you want to configure passwordless SSH; then, SSH back to the original host from each system to accept the host fingerprint and to establish a local .ssh directory in your user's home directory on the remote system:

$ ssh-keygen --t rsa
$ cat .ssh/id_rsa.pub >>.ssh/authorized_keys
$ cat .ssh/authorized_keys | ssh remote_host 'cat >> .ssh/authorized_keys'

During this process, you need to enter your password for the remote host and then type exit to return to the original host. Now, when you enter ssh remote_host, no password is required.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • SSH on Windows

    For Linux admins, SSH is one the most important tools of remote administration. SSH also works in Windows, with tools such as PuTTY or WinSSH, MobaXterm, WinSCP, or Swish.

  • Sort out your SSH configs
    The scope and functionality of SSH and sFTP provides both secure remote access and secure file transfers.
  • Getting Data Into and Out of the Cluster

    A basic question when getting into HPC is how to get data into and out of the cluster from local Linux and Windows machines.

  • SSH tools for Windows
    For Linux admins, SSH is one the most important tools of remote administration. SSH also works in Windows, with tools such as PuTTY or WinSSH, MobaXterm, WinSCP, or Swish.
  • Automation Scripting with PHP

    PHP is a powerful scripting language that has built-in database connectivity, simple syntax, one of the world’s largest support groups, and respect in enterprise scripting circles. When you have a scripting problem, PHP is good for what ails you.

comments powered by Disqus