SSH – TecAdmin

How to Install and Secure OpenSSH Server on Pop!_OS

Rahul — Fri, 06 Jan 2023 18:26:24 +0000

OpenSSH is a popular open-source implementation of the Secure Shell (SSH) protocol, which is used to securely connect to and manage remote systems over a network. OpenSSH is included in many popular Linux distributions, including Pop!_OS, and it provides a wide range of tools and utilities for securely accessing and managing remote systems.

This tutorial will help you to install and secure the OpenSSH server on Pop!_OS Linux. In this tutorial, we will cover the following topics:

Installing OpenSSH server on Pop!_OS
Configuring the OpenSSH server
Using the OpenSSH client to connect to a remote system
Securing the OpenSSH server

Step 1: Installing OpenSSH Server on Pop!_OS

The OpenSSH server packages are available under the default system repositories. You first need to update the package manager cache by running the following command:

sudo apt update

Next, install the OpenSSH server by the below-mentioned command:

sudo apt install openssh-server

Press ‘y’ when prompted for confirmation. This will install the OpenSSH server and all the necessary dependencies.

Installing OpenSSH Server

Once the installation is complete, the OpenSSH server will be automatically started and enabled to start on boot. You can check the service status by running the ‘systemctl status ssh’ command.

Check OpenSSH Service Status

Step 2: Configuring the OpenSSH Server:

Once the OpenSSH server is installed, you can configure it by editing the main configuration file, which is located at “/etc/ssh/sshd_config“. This file contains a number of options that control the behavior of the OpenSSH server.

WARNING: Be careful, while editing the confirmation file on a remote system. Any wrong entry may stop the SSH service and you will be disconnected from the server.

Some of the most important options that you might want to configure include:

Port: This option specifies the port number that the OpenSSH server listens on. By default, the OpenSSH server listens on port 22, but you can change this to any unused port number if you want to.
```
Port 22
```
PermitRootLogin: This option controls whether root login is allowed over SSH. By default, root login is disabled, but you can enable it by setting this option to “yes”.
```
PermitRootLogin yes
```
PubkeyAuthentication: This option controls whether public key authentication is allowed. By default, public key authentication is enabled, but you can disable it by setting this option to “no”.
```
PubkeyAuthentication yes
```
PasswordAuthentication: This option controls whether password authentication is allowed. By default, password authentication is enabled, but you can disable it by setting this option to “no”.
```
PasswordAuthentication no
```

Once you have edited the OpenSSH server configuration file, you need to restart the OpenSSH server to apply the changes. You can do this by running the following command:

sudo systemctl restart ssh

Step 3: Using the OpenSSH Client to Connect to a Remote System:

To connect to a remote system using OpenSSH, you will need to use the OpenSSH client, which is included in most Linux distributions. To connect to a remote system, you need to know the IP address or hostname of the system, as well as the username and password of a user account on the remote system.

To connect to a remote system, open a terminal and enter the following command:

# Syntax
ssh username@remote_system

Replace “username” with the username of the user account on the remote system, and “remote_system” with the IP address or hostname of the remote system. For example, to connect to a remote system with the IP address 192.168.1.100 as the user “user1”, you would enter the following command:

ssh user1@192.168.1.100

If this is the first time you are connecting to the remote system, you will be prompted to confirm the authenticity of the host. Type “yes” to continue. You will then be prompted to enter the password for the user account on the remote system. Once you have entered the correct password, you will be logged in to the remote system.

Step 4: Securing the OpenSSH Server:

To secure the OpenSSH server, there are several steps you can take:

Use strong passwords: Make sure that all user accounts on the OpenSSH server have strong, unique passwords. Avoid using easy-to-guess passwords, and use a combination of letters, numbers, and special characters.
Use public key authentication: Instead of using passwords for authentication, consider using public key authentication. With public key authentication, you generate a public and private key pair, and the public key is copied to the remote system. When you connect to the remote system, you use the private key to authenticate, instead of a password. This is more secure than password authentication, as the private key is much harder to guess than a password.
Limit access to specific users: Instead of allowing any user to connect to the OpenSSH server, consider limiting access to specific users. You can do this by adding the names of the allowed users to the “AllowUsers” option in the OpenSSH server configuration file.
Limit access to specific IP addresses: If you only want to allow connections from specific IP addresses, you can use the “AllowUsers” and “DenyUsers” options to specify which users are allowed to connect from which IP addresses.
Use a firewall: Use a firewall to block access to the OpenSSH server from unwanted IP addresses. You can use the FirewallD service on Pop!_OS to set up a firewall and allow connections only from specific IP addresses.

Conclusion

In summary, OpenSSH is a powerful and flexible tool for securely accessing and managing remote systems. By following the steps outlined in this article, you can install and configure the OpenSSH server on Pop!_OS, use the OpenSSH client to connect to a remote system, and secure the OpenSSH server to protect against unauthorized access.

The post How to Install and Secure OpenSSH Server on Pop!_OS appeared first on TecAdmin.

(Resolved) SSH Connection Refused on Ubuntu & Debian

Rahul — Fri, 26 Aug 2022 13:23:18 +0000

The “Connection Refused” error means that the computer is not accepting connection requests to the requested IP address and port. Connection requests may be blocked by a firewall, which is why “Connection refused” is displayed.

When a computer receives a connection request from an IP address and port that it wants to connect to, but the firewall blocks the connection, the “Connection Refused” error message appears. “Connection refused” can be due to a firewall blocking connection requests. In some cases, none of the services are listening on the requested port also causes the “Connection Refused” error.

The Problem:

Today, I installed a new Ubuntu system on my LAN network. I faced an error “Port 22: Connection refused” during the SSH connection to this system. After a bit troubleshoot, I got that there is no SSH server running on the newly installed system.

I got the error message below:

Port 22: Connection refused error

How to Resolve “Port 22: Connection refused” Error

There are the 4 most common reasons behind this error. One or more reasons can cause this issue as listed blow.

SSH Server is not installed
SSH service is not active
SSH service is running on a different port
SSH port is blocked by the firewall

Let’s discuss all the possible solutions one by one.

1. SSH Server is not installed

The OpenSSH is used for SSH service on Debian-based systems. Some of the newly installed systems may not have SSH daemon. Most likely, when you install a new Desktop system, the OpenSSH packages are not included by default.

You can run the following commands to install the ssh service on your system.

sudo apt udpate && sudo apt install openssh-server

Once the installation is finished, you can connect to your system on port 22. If you are still facing issues, check for other reasons defined below.

2. Check SSH Service is Active and Running

Generally, the SSH service is started automatically after the installation. But might be service is stopped due to some reason. To check the current status of the SSH service, execute:

sudo systemctl status ssh

If the SSH service is not running or not active, use the below-mentioned commands to enable service on system startup and start service.

sudo systemctl enable ssh 
sudo systemctl start ssh

Once the service is started successfully, you can connect to your system over ssh. In case, you still face the same error, check for the next possible issue.

3. SSH service is running on a different port

Might be the SSH service is listening on a different port. That is also a best practice for securing servers. You can find out the SSH server port by running the following command.

ss -tulpn | grep ssh

Check ssh port

The above screenshot shows that the SSH service is listening on port 2222. You should connect the remote system with SSH on port 22. We can define a port number with an SSH connection as the below-mentioned command.

ssh -p 2222 root@192.168.1.210

Hope this will resolve your issue. If still you are facing the same issue, check the below suggestion.

4. SSH port is blocked by the firewall

This is the most common cause that the firewall is blocking the requests.

Now, you need to identify, what firewall are you using. If the remote system is on the cloud hosting, check the security group of that hosting.

On the systems with physical access, can check if UFW or Firewalld is active.

Using UFW

Check the status of the UFW firewall with the below command:

sudo ufw status

If the firewall is in an active state, you can open Port 22 with the below-mentioned command.

sudo ufw allow 22/tcp

Using FirewallD

Check if the firewalld daemon is active and running:

sudo systemctl status firewalld

If the output shows Active: active (running), then you can open the SSH port by running the following command.

sudo firewall-cmd --permanent --zone=public --add-port=80/tcp

Then reload the firewall to apply changes.

sudo firewall-cmd --reload

Conclusion

In this blog post, we have discussed four possible issues for the error “Port 22: Connection refused”. Also provides the solutions for each issue. Hope this tutorial help to resolve your issue.

If you found any other reason for this issue, please mention it in the comment.

The post (Resolved) SSH Connection Refused on Ubuntu & Debian appeared first on TecAdmin.

How to Create SFTP User in Ubuntu 22.04 (No Shell Access)

Rahul — Tue, 14 Jun 2022 14:21:32 +0000

SFTP is a protocol that allows for the secure transfer of files over a network. It is often used by businesses and individuals to transfer sensitive data. SFTP is similar to FTP but uses a different protocol for communication. SFTP is more secure than FTP and is often used in conjunction with SSH (Secure Shell) to provide an even higher level of security.

In this tutorial, we will help you to set up an SFTP server and create an SFTP-only user on Ubuntu 22.04 systems. That account can connect over SFTP but is not able to connect over SSH. Also, this will restrict (chroot) the SFTP user to a specific directory only.

Prerequisites

A running Ubuntu 22.04 LTS system with shell access
Requies a sudo privileged account

Step 1 – Installing OpenSSH Server

The Ubuntu servers have already installed the OpenSSH server but the desktop systems may not have it. Use the following command to install and run OpenSSH server:

sudo apt update && sudo apt install openssh-server

Step 2 – Create SFTP User

First of all, create a new account in your system to use as sftp user.

The following command will create a new account named sftpuser with no shell access. You can change the username of your choice

sudo adduser --shell /bin/false sftpuser

Creating SFTP user in Ubuntu

Step 3 – Configure SFTP Directory

Now, create the directory structure to be accessible by the sftp user.

sudo mkdir -p /var/sftp/files

Here we will allow users to access the “files” directory only.

Now, change the ownership of the files directory to the sftpuser. So that sftpuser can read and write on this directory only.

sudo chown sftpuser:sftpuser /var/sftp/files

And set the owner and group owner of the /var/sftp to root. The root user has read/write access on this access. Group members and other accounts have only read and execute permissions.

sudo chown root:root /var/sftp 
sudo chmod 755 /var/sftp

Step 4 – Update SSH Configuration File

Now edit the SSH configuration file in a text editor

sudo vim /etc/ssh/sshd_config

and add the following settings at end of file.

Match User sftpuser
	ForceCommand internal-sftp
	PasswordAuthentication yes
	ChrootDirectory /var/sftp
	PermitTunnel no
	AllowAgentForwarding no
	AllowTcpForwarding no
	X11Forwarding no

Make sure to add configuration after the Subsystem line as shown in below screenshot:

SFTP only configuration on Ubuntu

Save the configuration file and close it.

Now validate the configuration file.

sudo sshd -t

If the validation is successful, no output will be displayed. In case, any error shows in the output, make sure to fix it before running the next commands.

Restart the SSH service to apply changes.

sudo systemctl restart ssh

All done. SFTP-only user is successfully created on your Ubuntu system. Now try logging into the remote system with the new user’s credentials, and check if everything is working correctly.

Step 5 – Connect to SFTP User

One can connect to a remote SFTP server using a command line or graphical applications like Filezilla or WinSCP. In this tutorial, I will show you both ways to connect sftp to only an account on the Ubuntu system.

Linux users can use the sftp command-line utility to connect to a remote sftp instance.

sftp sftpuser@192.168.1.210 

sftpuser@192.168.10.100's password:
sftp>

You can also connect to a remote SFTP server using graphical interface applications like FileZilla. That is available for both Linux and Windows users. Open the Filezilla application and input to sftp details:

Host: sftp://system-ip-host
Username: Use SFTP user created in step 1.
Password: Use SFTP user password created in step 1.
Port: Use SSH server port or keep empty for default port.

Click the Quickconnect button:

Verify no shell access:

As this account is configured for SFTP-only connection. So if any user tried to connect via SSH will be disconnected immediately after successful authentication. The user will get the below message:

ssh sftpuser@192.168.1.210  

sftpuser@sftp.tecadmin.net's password:
This service allows sftp connections only.
Connection to sftp.tecadmin.net closed.

Conclusion

In conclusion, setting up an SFTP server is a great way to securely transfer files between computers. By following the steps in this article, you can set up your own SFTP server in no time on Ubuntu systems. If you have any questions, feel free to leave a comment below and we’ll be happy to help.

The post How to Create SFTP User in Ubuntu 22.04 (No Shell Access) appeared first on TecAdmin.

(Resolved) userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms

Rahul — Mon, 02 May 2022 12:14:02 +0000

The Problem:

Today, I launched a new AWS instance with Ubuntu 22.04. The default key provided by AWS is working fine with SSH. But when I attached my personal ssh key to the server and tried to access with FileZilla over SFTP, I got the following error in auth.log.

May 10 11:52:58 localhost sshd[57650]: Disconnected from authenticating user ubuntu 203.190.146.202 port 46565 [preauth]
May 10 11:52:59 localhost sshd[57652]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
May 10 11:53:00 localhost sshd[57652]: message repeated 3 times: [ userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]]
May 10 11:53:00 localhost sshd[57652]: error: Received disconnect from 203.190.146.202 port 50045:14: No supported authentication methods available [preauth]

The Solution:

First, I make confirm that key-based authentication is working as I was able to log in with the ssh key provided by the AWS console. After that, I created a new key with type ecdsa.

Open a terminal and generate a new key-pair:

ssh-keygen -t ecdsa

Once the key is generated, add the public key to remote servers ~/.ssh/authorized_key file.

Now, I can successfully connect to the remote server with FileZilla over SFTP.

The post (Resolved) userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms appeared first on TecAdmin.

Adding a New SSH Key to Your GitHub Account

Rahul — Mon, 28 Mar 2022 12:07:22 +0000

GitHub is a popular platform for hosting Git repositories, and it supports accessing repositories over SSH (Secure Shell). In order to access a GitHub repository over SSH, you will need to generate an SSH key pair and add the public key to your GitHub account.

Here are the steps for adding a new SSH key to your GitHub account:

Prerequisites

Before you can add an SSH key to your GitHub account, you will need to do the following:

Generate an SSH key pair. This consists of a private key and a public key. The private key is kept on your local machine, and the public key is uploaded to your GitHub account.
Install Git on your local machine. You will need Git installed in order to use the ssh-keygen command to generate the SSH key pair.

The next step will help you to generate SSH key pair on your system.

Generating an SSH Key Pair

To generate an SSH key pair, follow these steps:

Open a terminal window (Git Bash on Windows, or any terminal emulator on macOS or Linux).

Run the following command to generate an SSH key pair:

ssh-keygen -t rsa -b 4096

Output:
rahul@tecadmin:~$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/rahul/.ssh/id_rsa): [PRESS ENTER]
Enter passphrase (empty for no passphrase): [PRESS ENTER]
Enter same passphrase again: [PRESS ENTER]
Your identification has been saved in /home/rahul/.ssh/id_rsa
Your public key has been saved in /home/rahul/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:r/ohd9s7kHb2SygRRpdvAiO6x7cEdO9yDAZkpQnvQXs rahul@tecadmin
The key's randomart image is:
+---[RSA 4096]----+
|      ..+.o ..   |
|       =+=+..    |
|       o*+E+ .   |
|      ...+o.o o  |
|       oSo.= o   |
|      . o.B.*.   |
|      ..o++B...  |
|       o +.+...  |
|      .oo . oo.. |
+----[SHA256]-----+

This will generate a new SSH key pair using the RSA algorithm with a key length of 4096 bits.

When prompted, enter a file name for the private key. This is the file where the private key will be stored. You can use the default file name (id_rsa) or choose a different name.
When prompted, enter a passphrase for the private key. This is an optional security measure that adds an additional layer of protection to your private key. If you do not want to use a passphrase, just press Enter.
The ssh-keygen command will generate the SSH key pair and store the private key in the file that you specified. The public key will be stored in a file with the same name, but with a .pub extension.

For example, if you specified the file name “id_rsa”, the private key will be stored in “id_rsa” and the public key will be stored in “id_rsa.pub”.

Adding the Public Key to Your GitHub Account

Now that you have generated an SSH key pair, you can add the public key to your GitHub account as follows:

Go to your GitHub account settings.
Open Github Account Settings
Select the “SSH and GPG keys” tab.
Go to “SSH and GPG keys” option
Click the “New SSH key” button.
click “New SSH Key” button
In the “Title” field, enter a name for the key. This can be any name that helps you identify the key.
In the “Key” field, paste the contents of the public key file (e.g., id_rsa.pub).
Adding SSH Key

You can use the cat command to view the contents of the file, or you can open it in a text editor.
```
cat id_rsa.pub 
```
Click the “Add SSH key” button to save the key.

That’s it! You should now see the new SSH key listed in your GitHub account settings. You can use this key to access GitHub repositories over SSH.

I hope this helps! Let me know if you have any questions or need further clarification on any of the steps.

The post Adding a New SSH Key to Your GitHub Account appeared first on TecAdmin.

How to Create SFTP Only User in Debian 11

Rahul — Sun, 26 Sep 2021 06:44:55 +0000

SFTP (SSH File Transfer Protocol) is a secure file protocol used to access, manage, and transfer files over an encrypted SSH transport session. Security first is a thumb rule for the system administrators. In some cases, we need to allow remote users to access the filesystem on our system, but you don’t want to allow them to get a shell. This will allow you a secure channel to provide limited access to specific files and directories.

This tutorial will help you to setup SFTP only access (without shell access) on Debian 11 system. It will create a chroot environment on your system to limit the SFTP user to a specific directory only. Also, it will allow SFTP only access without SSH access to the user.

Prerequisites

A running Debian 11 Bullseye Linux system
You must have sudo privileged account with shell access

Step 1 – Create a New User

First of all, create a new user to connect with the sftp server. The following command will create a new account named sftpuser with no shell access. You can use any name of your choice or requirement.

sudo adduser --shell /bin/false sftpuser

Step 2 – Create a Directory for SFTP Access

You have created a user for sftp. Now, create a directory to configure as chroot for the sftp. For this example, I will create a /var/sftp directory. The directory must have root ownership to configure as chroot directory. So we will create a subdirectory under /var/sftp with write access to sftp account.

Create the directory structure with the following command:

sudo mkdir -p /var/sftp/files

Next, we have to set proper permission on directories to configure as chroot access with write access to the user. Here /var/sftp must have the root ownership and group with proper permission. To set that permission, type:

sudo chown root:root /var/sftp sudo chmod 755 /var/sftp

Now, change the permission for the "files" directory to allow write access to sftpuser. To set that permissions, type:

sudo chown sftpuser:sftpuser /var/sftp/files

Once the sftpuser connects to the server, will get /var/sftp as the root directory. He can’t access the filesystem outside it. Also, the user can read/write files under the “files” directory only.

Step 3 – Configure sshd for SFTP Only

Next, you need to configure the SSH server to allow the “sftpuser” to connect the server with sFTP only without shell access. To make necessary changes, edit the SSH configuration file.

sudo nano /etc/ssh/sshd_config

and add the following settings at end of file.

Match User sftpuser ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory /var/sftp PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no

Chroot Configuration for SFTP User

Double-check that all the settings are correct. Then save the changes and restart the SSH service to apply changes.

sudo systemctl restart ssh

All done, SFTP only use is successfully created on your Debian system. Now try logging into the remote system with the new user’s credentials, and check if everything is working correctly.

Step 4 – Connect to SFTP

One can connect to a remote SFTP server using a command line or graphical applications like Filezilla or WinSCP. In this tutorial, I will show you both ways to connect SFTP server.

Linux users can use sftp command-line utility to connect to remote sftp instances.

sftp sftpuser@sftp.tecadmin.net sftpuser@sftp.tecadmin.net's password: sftp>

GUI interface or Windows users can use graphical sftp clients. For example, use Filezilla client to connect remote sftp only account on the remote system.

Verify no shell access:

As this account is configured for SFTP only connection. So if any user tried to connect via SSH will be disconnected immediately after successful authentication. User will get below message:

ssh sftpuser@sftp.tecadmin.net sftpuser@sftp.tecadmin.net's password: This service allows sftp connections only. Connection to sftp.tecadmin.net closed.

Conclusion

In this how-to guide, you have learned to create chroot jail environment for SFTP users without shell access to the server. The Chroot environment secures the filesystem by preventing users to access files outside of the defined directory. This tutorial is created and tested with Debian 11 Bullseye system but this will work on other Debian versions.

The post How to Create SFTP Only User in Debian 11 appeared first on TecAdmin.

How to Disable Strict Host Key Checking in SSH

Rahul — Mon, 20 Sep 2021 02:02:02 +0000

The SSH server has default enabled the strict host key checking. When the key checking is enabled, the SSH client connects only those hosts, that valid host keys are stored in the known host’s file. You can find the fine at ~/.ssh/known_hosts.

Once you are connected to a remote host file time via SSH, the SSH clients check for the host key file under the known_hosts file. If the key is found, you will be connected to a remote server after authentication, but if key doesn’t found in the known_hosts file, the command will show a warning message and a prompt to accept or reject the connection request. Once you accepted the by typing “yes”, the key is added in the known_hosts file.

Here is an example to of command:

ssh ubuntu@remote-host

Output
The authenticity of host 'remote-host (123.45.67.89)' can't be established. RSA key fingerprint is 9f:48:89:f5:68:2f:cd:b3:19:95:40:43:98:09:0a:1a. Are you sure you want to continue connecting (yes/no)?

But in some situations, like shell scripts, we need to disable the strict host check. Continue to read this article to understand the way to disable strict host check in the SSH clients on Linux systems.

Disable with SSH Command

You can define the StrictHostKeyChecking=no command line argument to ssh command to skip the host key checking.

ssh -o StrictHostKeyChecking=no user@remote-host

Using Config File

You can also define the strings to disable host key checking in the configuration file. You need to create a ~/.ssh/config file and disable strict host key checking by adding the content.

vi ~/.ssh/config

Host * StrictHostKeyChecking no

This will disable host checking for all hosts you connect to. Rather than disabling host check for all Host “*”, it would be safer to specify a particular host.

Host 192.168.1.10 StrictHostKeyChecking no

Also, set the proper permissions on the file to make it read-only for the user.

sudo chmod 400 ~/.ssh/config

That’s it. You have successfully disabled the strict host key checking in SSH.

Conclusion

In this tutorial, you have learned, how to disable strict host key check during ssh key connection to a remote host.

The post How to Disable Strict Host Key Checking in SSH appeared first on TecAdmin.

How To Set Up SSH Keys in Linux

Rahul — Wed, 01 Sep 2021 02:14:20 +0000

SSH or Secure Shell is a protocol utilized to enable communication between two computers and share data. It provides a password-enabled or password-less (disabled) authentication and encrypts communication between two hosts. When working with CentOS servers most of the time is spent in the terminal linked to your server via SSH.

In this guide, we’ll be focusing on setting up SSH keys-based authentication for a CentOS 8 server. SSH keys offer a straightforward, steady technique of communicating with remote servers and are encouraged for all users.

Creating SSH Keys in Linux

To generate a new 2048-bit RSA key pair, open up the terminal and execute the below-given command:

ssh-keygen

After pressing the enter, you will see the following output:

If you press Enter, by default, it will save the key pair in the .ssh subdirectory of your_home folder. You can also provide the alternate path of where you want to save the key pair but it is recommended to use the default directory to save the key pair:

If you have created a key pair before on your client machine then you will be prompted to overwrite it. It’s totally up to you to choose yes or no but be careful to choose the ‘y’ option. If you choose the ‘y’ option, you will not be able to use the previous key pair to log in to the server.

Now you will be asked to provide a passphrase to add an extra layer of security that prevents unauthorized users from accessing the server. Just press Enter if you do not want to provide any passphrase:

After providing the passphrase, you will see the following output:

Now you have successfully generated an SSH key pair, to verify this run the below-given command:

ls -l ~/.ssh/id_*.pub

The command given above will output the path to the file which contains the SSH key pair. If it outputs an error like “No such file or directory found” then that means that the key pair was not successfully created and you will have to repeat the process again.

Adding the SSH Key to Remote System

Once you have created the key pair you need to add the SSH key to the CentOS server. The fastest way is to use the ssh-copy-id method. In some cases, you might not have the ssh-copy-id method available on your local machine. In this case, you can use an alternate method to add the SSH key to the CentOS Server.

Adding SSH Key via ssh-copy-id Command

Your local machine will most probably have the ssh-copy-id method by default. This method will only work in case you have password-based SSH access to the server:

ssh-copy-id username@server_host

For my server I will use:

ssh-copy-id Rahul@192.168.18.76

The IP address is your system’s IP, type yes and press Enter, you will be prompted to enter the remote user’s password:

Once the user completes all steps, the public key will be copied to the server:

Adding the SSH Key Without ssh-copy-id

In case your local machine doesn’t have the ssh-copy-id method installed, which is highly unlikely, then you will have to run this command to add the ssh keys to the server.

For my local server I will use:

cat ~/.ssh/id_rsa.pub | ssh Rahul@192.168.18.76 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

How to Login to the Server using SSH keys

Now that you have successfully added the key to the server, you should be able to login into the server without the user’s password:

$ ssh username@server_ip_address

For my server I will use the following command:

ssh Rahul@192.168.18.76

If you didn’t set the passphrase then you can log in without authentication. It is the fastest way to log in to the server otherwise you have to pass through the authentication stage.

Step 3 – How to Disable SSH Password Authentication

You can add an extra security layer by disabling the password authentication for SSH. Before the beginning process, ensure that you are able to access your server without the password as a root user or as a non-root user with sudo privileges.

To disable SSH password Authentication, the first log in to the server:

ssh Rahul@192.168.18.76

Now we will open and modify the SSH configuration file located at /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config

After opening the configuration file make the following changes:

PasswordAuthentication no

Uncomment the above-given lines if they are commented by removing the # sign and set their value to no.

After modification of the SSH file you need to save and close the file by pressing Ctrl + X and restart SSH service using the following command:

sudo systemctl restart sshd

By doing all steps, password-based authentication is disabled successfully.

Conclusion

SSH is a secure network protocol that is used for communication between a remote server and a client; It is more secure than FTP for file transfers between a client and a server. In this article, we learned to generate SSH key pairs and set up SSH-based authentication for CentOS 8 based servers, we also learned to disable the SSH password authentication.

The post How To Set Up SSH Keys in Linux appeared first on TecAdmin.

How To Set Up SSH Tunneling

Rahul — Mon, 02 Aug 2021 09:10:14 +0000

If you are connecting with a different Linux device on a different network then you would have to expose it to the public internet and that may put your system and files at the risk. Therefore, SSH Tunneling is used to transmit data in a fast and secured manner from source to client machine and vice versa.

SSH Tunneling is a practice of creating a secured and encrypted SSH connection between a server machine and a client machine through which data can be transferred and service can be relayed. In our today’s article, we will see how to set up SSH Tunneling and route your traffic securely via SSH tunnels.

What is SSH Tunneling?

SSH Tunneling is the way of transmitting unencrypted traffic or data through an encrypted channel. Simply, you can say that it is a tunnel to transfer data from one place to another in a secure way. Apart from the file transmission, SSH Tunneling can also be used to access intranet services across firewalls and to implement VPN.

SSH Tunneling is also known as SSH Forwarding and it is an easy and effective way of transporting data that use an encrypted protocol(FTP), bypassing firewalls and accessing geographically restricted content.

SSH Port Forwarding are of three types:

Local Port forwarding

Remote Port Forwarding

Dynamic Port forwarding

Local Forwarding

Local forwarding is the practice of forwarding a port from the client machine(Local SSH Client) to the remote machine(SSH Server) and then the connection is forwarded to another port of the destination machine.

SSH Client checks for the connection on a specific given port and when it receives a connection request, it tunnels the connection to a specific port on a remote SSH server. And then the server connects to a different destination machine on the configured port.

It is mainly used to connect to a remote service on an internal network from the outside like a database. It is also used for remote file share over the internet and through jump servers.

How to set up local port forwarding?

Let’s take an example that you are restricted by a firewall to access an application running on a remote server on port 3000. Now, we will forward a local port(i.e. 8080) to access the application locally.

The -L is used to configure Local port forwarding

ssh tecadmin@server.example.com -L 8080:server1.example.com:3000

Or

ssh -L [LOCAL_IP:]LOCAL_PORT:DESTINATION:DESTINATION_PORT [USER@]SSH_SERVER

[LOCAL_IP:]LOCAL_PORT – The port number and IP address of the local machine. Any port number greater than 1024 can be used.

DESTINATION:DESTINATION_PORT – The Port and IP address or hostname of the destination machine.

[USER@]SERVER_IP – The username and server IP address of remote ssh user.

The -f will instruct ssh to run in the background.

ssh -f -N admin@server.example.com -L 8080:server1.example.com:3000

And the -N will instruct not to execute a remote command. [you will not get a shell in this case.]

ssh -N tecadmin@server.example.com -L 8080:server1.example.com:3000

Now, open a browser on your local machine and you can simply use localhost:8080 to access the remote application instead of accessing it using the address server.example.com:3000.

Remote Forwarding

Remote port forwarding is the opposite of Local Port forwarding and enables you to connect to the local computer from your remote machine. SSH does not support remote port forwarding by default. So you need to enable it in your ssh config file.

Open the ssh config file in editing mode

sudo vim /etc/ssh/sshd_config

Search for the GatewayPorts and set it as yes.

GatewayPorts yes

Save the changes, exit edit mode, and restart your server.

sudo systemctl restart sshd

Now as you have enabled remote port forwarding. In open SSH we use the -R command to set up remote port forwarding.

ssh -R [REMOTE:]REMOTE_PORT:DESTINATION:DESTINATION_PORT [USER@]SSH_SERVER

[REMOTE:]REMOTE_PORT – The IP address and the port number of the remote SSH server.

DESTINATION:DESTINATION_PORT – The hostname and IP address of the destination machine.

[USER@]SERVER_IP – The remote SSH username and IP address.

For example:

ssh -R 8080:127.0.0.1:3000 -N -f user@remote.host

The SSH server will listen on port 8080 and will tunnel all traffic from 8080 to port 3000 on your local machine

Or, you can use the following command to forward port 5000 on the remote machine to port 3000 on the local machine.

ssh -f -N tecadmin@server1.example.com -R 5000:localhost:3000

Remote port forwarding is mainly used to give access to someone from the outside to an internal service.

Dynamic Port Forwarding

The third and the last type of port forwarding is Dynamic Port Forwarding. Local and Remote Port forwarding allows you to tunnel and communicates with a single port but in Dynamic Port forwarding you can runnel and communicate with a range of ports.

It creates a socket on the local machine that works as a SOCKS proxy server or you can say It sets up your local machine as a SOCKS proxy server and by default, it listens on port 1080. When a server connects to this port, it is forwarded to the remote machine, then it is forwarded to the dynamic machine on a dynamic port.

What is SOCKS?

It is an Internet protocol that defines how a client machine can connect to a server via a proxy.

We can enable dynamic port forwarding with the -D option. Let’s understand port forwarding with an example-

ssh -D [LOCAL_IP:]LOCAL_PORT [USER@]SSH_SERVER

[LOCAL_IP:]LOCAL_PORT – The IP address and port number of the local machine.

[USER@]SERVER_IP – The remote server IP address and username.

Or this command will start a SOCKS proxy and will allow you to connect to the remote host.

ssh -f -N -D 1080 admin@server1.example.com

Conclusion

SSH Tunneling is a useful way to transfer unencrypted data through an encrypted tunnel. There are three options available in it and you can choose as per your needs.

The post How To Set Up SSH Tunneling appeared first on TecAdmin.

How to Use SSH Config File

Rahul — Wed, 28 Jul 2021 05:47:06 +0000

Secure Shell (SSH) is one of the most commonly used and secured ways to connect to a remote server. It is easy to connect with a remote server with SSH but what if you want to connect with different servers and you do it frequently. It becomes difficult to remember all the IPs addresses, usernames, commands, and passwords.

So to solve this problem, SSH allows you to set and use the ssh config file for different use-cases. SSH uses a system and custom or user-specific configuration file. You can customize and configure client-side connection options and can store information of every remote server you connect with. In today’s article, we will explain how to use the ssh config file and explain some of the common configuration options.

With an SSH config file, you can define and store settings for specific remote machines. And this eliminates the need to keep a track of every information like password, username, IP address, etc required to connect with a remote server.

What is the location of the SSH Config file

So as we told you previously, two types of configuration files are available in SSH – System-wide and User-specific(Custom) configuration files. And their locations are:

System-wide configuration file: This file mainly contains default information that applies to all the system users and you can find it at /etc/ssh/ssh_config

User Specific or Custom configuration file: This configuration file is specific to the user and in this article; this file will be our major focus.

Every user can maintain a custom or client-side SSH configuration file and it can store some common information that is used while making a connection. The file remains in read and write format for the user and others cannot access that.

The Client or custom configuration file is stored in the user’s home directory in the ~/.ssh directory. You will find it here – ~/.ssh/config or $HOME/.ssh/config

By default, the user-specific configuration file does not exist. So you can create it with this command:

touch ~/.ssh/config

Also, if you do not find the ~/.ssh directory, you can create it with this command:

mkdir -p ~/.ssh chmod 0700 ~/.ssh

Understand the structure of the SSH Config file

The Configuration file is specific to every host and contains information related to connection with a server. Every section starts with a header definition for the host and it is followed by the information and values that should be matched for connections. The file format will look like this:

Host Host1 ssh_option1 Value Custom Value ssh_option2 Value Custom Value ssh_option3 Value Custom Value Host Host2 ssh_value Value Custom Value Host * Ssh_option Value Custom Value

How does the SSH configuration file work

Normally if you want to connect to a remote server, you will use this command:

ssh -i ~/.ssh/id_rsa -p 22 hostname@IPaddress

It is not an easy task to remember the hostname and IP address of all the servers you connect with. So with the configuration file, you can connect with a single command.

ssh hostname

The SSH will use the information from the configuration file to connect to the remote server. So let’s understand the working of the config file. For example, if you run the following command:

ssh Host1

SSH will first match the hostname with each host mentioned in the config file with a top-to-down approach and will find the Host1 header file. Once SSH finds a match for Host1, it will check for other hosts too if there is any other similar match. If there is no other match, SSH will interpret the option values mentioned with Host1 to connect with the server.

Using the SSH Config File

Now we know that what is SSH Config file is and how does it work. Now let’s understand how you can use it to simplify the remote connection environment.

Open the configuration file in an Editor.

vi ~/.ssh/config

And you can define username, IP address, and port values in it. For example:

Host TecAdmin HostName 192.167.54.19 Port 2222 Forwardx11 no Host * User tecadmin1 IdentityFile ~/.ssh/id_rsa Protocol 2 Compression yes ServerAliveInterval 60 ServerAliveCountMax 20 LogLevel Info

Explanation of values used in the file:

HostName: IP address of the remote server host in which you want to login.

User: Name of the user, you will log in as.

Port: The port you want to connect on the remote server.

Protocol: The version of protocol SSH should prefer. You can enter multiple values separated by a comma.

IdentityFile: Location of file that contains RSA, ECDSA, and DSA authentication Identity of the user.

ForwardX11: It allows you to forward the remote server display on your machine.

Compression: You want to use compression during the remote server connection or not. Turning it on can be useful for you if you have a slow connection

ServerAliveinterval: It is used to set a timer in seconds for the server connection and in the given time if no response is received from the server, ssh will send a message to request a response.

ServerAliveCountMax: It sets the number of messages that should be sent to request a response from the server.

LogLevel: It tells the verbosity level used when logging.

Conclusion

So now you know, how a single configuration file can be so useful for you if you connect with remote servers frequently. You do not need to remember multiple hostnames, ip addresses, and ports.

The post How to Use SSH Config File appeared first on TecAdmin.

SSH – TecAdmin

How to Install and Secure OpenSSH Server on Pop!_OS

Step 1: Installing OpenSSH Server on Pop!_OS

Step 2: Configuring the OpenSSH Server:

Step 3: Using the OpenSSH Client to Connect to a Remote System:

Step 4: Securing the OpenSSH Server:

Conclusion

(Resolved) SSH Connection Refused on Ubuntu & Debian

The Problem:

How to Resolve “Port 22: Connection refused” Error

1. SSH Server is not installed

2. Check SSH Service is Active and Running

3. SSH service is running on a different port

4. SSH port is blocked by the firewall

Using UFW

Using FirewallD

Conclusion

How to Create SFTP User in Ubuntu 22.04 (No Shell Access)

Prerequisites

Step 1 – Installing OpenSSH Server

Step 2 – Create SFTP User

Step 3 – Configure SFTP Directory

Step 4 – Update SSH Configuration File

Step 5 – Connect to SFTP User

Conclusion

(Resolved) userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms

The Problem:

The Solution:

Adding a New SSH Key to Your GitHub Account

Prerequisites

Generating an SSH Key Pair

Adding the Public Key to Your GitHub Account

How to Create SFTP Only User in Debian 11

Prerequisites

Step 1 – Create a New User

Step 2 – Create a Directory for SFTP Access

Step 3 – Configure sshd for SFTP Only

Step 4 – Connect to SFTP

Conclusion

How to Disable Strict Host Key Checking in SSH

Disable with SSH Command

Using Config File

Conclusion

How To Set Up SSH Keys in Linux

Creating SSH Keys in Linux

Adding the SSH Key to Remote System

Adding SSH Key via ssh-copy-id Command

Adding the SSH Key Without ssh-copy-id

How to Login to the Server using SSH keys

Step 3 – How to Disable SSH Password Authentication

Conclusion

How To Set Up SSH Tunneling

What is SSH Tunneling?

Local Forwarding

How to set up local port forwarding?

Remote Forwarding

Dynamic Port Forwarding

What is SOCKS?

Conclusion

How to Use SSH Config File

What is the location of the SSH Config file

Understand the structure of the SSH Config file

How does the SSH configuration file work

Using the SSH Config File

Conclusion

Adding SSH Key via `ssh-copy-id` Command