Lesson 9.3: Configure key-based authentication for SSH

Root Permssion for SSH (Both Client and Server)

  • By default SSH is not allowed for root. So we need to allow from the file /etc/ssh/sshd_config by adding PermitRootLogin yes.
  • [root@server ~]# systemctl restart sshd
[root@server ~]# hostname -I 
192.168.205.100 192.168.203.1 
 
[root@server ~]# ssh root@192.168.205.101
The authenticity of host '192.168.205.101 (192.168.205.101)' can't be established.
ED25519 key fingerprint is SHA256:HOPA4UyrPYpCEWcP4vMfeocqZn9r5fEBYgg9+lXNyeY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.205.101' (ED25519) to the list of known hosts.
root@192.168.205.101's password: 
Activate the web console with: systemctl enable --now cockpit.socket
 
Last login: Mon Sep 30 21:04:22 2024
 
[root@client ~]# useradd server1
[root@client ~]# passwd server1

Deny Users to SSH

  • Add DenyUsers in /etc/ssh/sshd_config,example: DenyUsers server1.
  • Here server1 user is denied, which wont provide permission for ssh.
  • [root@server ~]# systemctl restart sshd
# From Host
[sanjeeb@client ~]$ ssh server1@192.168.205.101 
The authenticity of host '192.168.205.101 (192.168.205.101)' can't be established.
ED25519 key fingerprint is SHA256:HOPA4UyrPYpCEWcP4vMfeocqZn9r5fEBYgg9+lXNyeY.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:1: 192.168.208.136
    ~/.ssh/known_hosts:4: 192.168.208.130
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.205.101' (ED25519) to the list of known hosts.
server1@192.168.205.101's password: 
Permission denied, please try again.

Allow only a selected user's SSH login

  • Add AllowUsers in /etc/ssh/sshd_config,example: AllowUsers sanjeeb.
  • Here server1 user is denied, which wont provide permission for ssh.
  • [root@server ~]# systemctl restart sshd
[root@client ~]# ssh sanjeeb@192.168.205.101 
sanjeeb@192.168.205.101's password: 
Last login: Mon Sep 30 21:17:13 2024 from 192.168.205.101
lOGIN FROM SANJEEB!!
 
[sanjeeb@client ~]$ ssh server1@192.168.205.101
server1@192.168.205.101's password: 
Permission denied, please try again.

Configure SSH Server to Listen on the Non Default Port

  • Modify the configuration file /etc/ssh/sshd_config.
  • Uncomment the Port 22, and change the port number to Port 4488(Your desired port which is not in use).
  • Inform the SELinux if enforcing mode enabled in your system.
[root@client ~]# semanage port -a -t ssh_port_t -p tcp 4488
  • If you service is in non-default port then you need to add in firewall ports as well
[root@client ~]# firewall-cmd --permanent --add-port=4488/tcp
success
[root@client ~]# firewall-cmd --reload
success
[root@client ~]# firewall-cmd --list-all 
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 4488/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
  • Restart the remote host
[root@client ~]# systemctl restart sshd
  • Check the SSH connection from the Server
[root@server ~]# ssh -p 4488 sanjeeb@192.168.205.101 
sanjeeb@192.168.205.101's password: 
Last login: Mon Sep 30 21:31:44 2024 from 192.168.205.101
lOGIN FROM SANJEEB!!
[sanjeeb@client ~]$

Secured Copy

[root@server mybackups]# scp -r root@192.168.205.101:/root/serverbackup /root/mybackups
root@192.168.205.101's password: 
[root@server mybackups]# ls
serverbackup
[root@server mybackups]# ls serverbackup/
f1  f2  f3  f4  f5  f6  f7

Transfer local files to remote directory

[root@server ~]# scp -r /root/filestosend root@192.168.205.101:/root/filestoreceive
root@192.168.205.101's password: 
f11                                                                     100%    0     0.0KB/s   00:00    
f12                                                                     100%    0     0.0KB/s   00:00    
f13                                                                     100%    0     0.0KB/s   00:00    
f14                                                                     100%    0     0.0KB/s   00:00

RSYNC

# BACKUP SERVER
[root@backupserver rsync_backup]# pwd
/root/rsync_backup
 
[root@backupserver rsync_backup]# hostname -I 
192.168.205.101 192.168.206.17 
 
# HOST SERVER
[root@server developer]# ls
file1
[root@server developer]# rsync --rsh=ssh -r /root/developer/* root@192.168.205.101:/root/rsync_backup
root@192.168.205.101's password: '
 
# BACKUP SERVER
[root@backupserver rsync_backup]# ls
file1

Creating a shell script for network backup

# HOST MACHINE
[root@server ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:YOIJ0vrE2iqmT3BeoU/sz5lZ0n0EMbuTEHl4bOyx1A8 root@server
The key's randomart image is:
+---[RSA 3072]----+
|        .=o.     |
| .      o.O+E    |
|. o o o .*oo o   |
| + = = . .o+  .  |
|o = *   S + .    |
| O =   . . o     |
|. = o . o . .    |
|.+   o *   .     |
|*..   *          |
+----[SHA256]-----+
[root@server ~]# cd .ssh 
[root@server .ssh]# ls
id_rsa  id_rsa.pub  known_hosts  known_hosts.old
[root@server .ssh]# ssh-copy-id root@192.168.205.101
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys'
 
Number of key(s) added: 1
 
Now try logging into the machine, with:   "ssh 'root@192.168.205.101'"
and check to make sure that only the key(s) you wanted were added.
 
# Now it wont ask for password when loggining into remote machine
[root@server ~]# ssh root@192.168.205.101 
Activate the web console with: systemctl enable --now cockpit.socket
 
Last login: Mon Sep 30 21:46:08 2024
[root@backupserver ~]# 
 
 
# Making a script for rsync in host machine
[root@server ~]# cd /root/scripts/
[root@server scripts]# ls
network_backup.sh
[root@server scripts]# cat network_backup.sh 
# Network backup script 
rsync -rsh=ssh -r /root/developer/* root@192.168.205.101:/root/rsync_backup
 
#Running the script
[root@server scripts]# network_backup.sh 
 
#Adding a new file 
[root@server scripts]# touch /root/developer/file4
[root@server scripts]# ls /root/developer/
fil2  file1  file3  file4
[root@server scripts]# network_backup.sh 
[root@server scripts]# 
 
# Backup of file4 takes place after the script runs in the host machine (Backup Server)
[root@backupserver rsync_backup]# ls
fil2  file1  file3  file4
All systems normal

© 2025 2023 Sanjeeb KC. All rights reserved.