SSH
Creating Keys
Here are my basic instructions for generating SSH keys and setting them up with a server.
Generate your keys:
ssh-keygen -f ~/.ssh/id_rsa -b 4096 -C "my ssh keys for homelab jumpbox" -P ''
-C
> add a comment optional.
-P ''
> Set password to blank optionaly insert a password intbewtween the quotes.
Ensure the SSH agent is started:
eval "$(ssh-agent -s)
Should return the pid of the agent e.g.:
>Agent pid 12345
Add your keys (replace id_rsa with file name of your ssh keys):
ssh-add ~/.ssh/id_rsa
Add your keys to the remote server:
ssh-copy-id -i ~/path/to/ssh/public_key USER@IP_ADDRESS
Now you can log in to the remote device using your SSH keys with:
ssh user@IP_ADDRESS
Useful command to remove a host from your “known_hosts” file, replacing the home directory and host with those specific to your setup:
ssh-keygen -f "/home/user/.ssh/known_hosts" -R "10.10.10.10"
If you want to add the public key to github. Go to:
Settings > SSH and GPG Lyes > New SSH Key
Paste in your SSH public key and give it an appropriate name and description, your good to go.
Enabling SSH Server
Install Open SSH:
sudo dnf install openssh-server
Enable the sshd
service:
sudo systemctl start sshd
Check the status:
sudo systemctl status sshd
Check that the port is now available for connections (ss is a socket information tool):
ss ss -lt
Change Port
To change the default port under Fedora Linux, and in any other Linux distribution for that matter, requires a change to the default port option in /etc/ssh/sshd_config
to the port number you want to use.
Edit the configuration file manually and change the line # Port 22
to Port 2222
as an example.
Here is a sed command to automate this step:
sed -i -e 's/^#?Port 22/Port 2222/g' /etc/ssh/sshd_config
You should also change the port assignment in systemd socket (only some platforms.) Run the following command to determine if you’ve to do this on your Linux distribution, if the files exists an editor will open (skip this if the a message says the file doesn’t exist:
systemctl edit sshd.socket
Add the following lines into the Socket
section (the line without a value removes any previous port number assignments):
[Socket]
ListenStream=
ListenStream=722
Fedora will also need SE Linux and FirewallD permission and rules changing.
SELinux will by default expect incoming SSH connections to go over port 22, this policy will be adopted to allow traffic on the new port.
THis is done with the semanage
command, the first command adds the new port to the existing ssh_port_t
policy, the second one verifies that it is now present:
semanage port -a -t ssh_port_t -p tcp 722
semanage port -l | grep ssh_port_t
Then use the firewall-cmd
to add the specific port and remove port 22 from the firewall polices for SSH.
Add the new port:
firewall-cmd --permanent --service="ssh" --add-port "722/tcp"
Reload the firewall:
firewall-cmd --reload
Reload SSH daemon:
systemctl reload sshd
Now reconnect to the server on the new port to ensure that all is functioning as desired, if it is you can then remove port 22 from the firewall rules:
firewall-cmd --permanent --service="ssh" --remove-port "22/tcp"
firewall-cmd --reload
Source: https://www.ctrl.blog/entry/how-to-alternate-ssh-port-fedora.html
OPNsesnse NAT Port forward rule
Create a rule with the following parameters assigned (changing the ports to appropriate outside and inside target port numbers):
Interface: WAN
TCP/IP Version: IPv4
Protocol: TCP
Destination: WAN Address
Destination port range: SSH
Redirect target IP: 10.10.10.10
Description: 10.10.10.10 SSH Access
Filter Rule Association: Pass
Don’t forget the Filter Rule Association as I spent and age once trying to work out why a NAT rule wasn’t working and I hadn’t set this to pass.
Disabling Password Based Authentication
Before you do this ensure your SSH keys are backed up or you have multiple set up so if a machine dies you can still get to the server.
Edit the /etc/ssh/sshd_config
file and cchange the following line:
PasswordAuthentication yes
To:
PasswordAuthentication no
Restart the SSH daemon:
sudo systemctl restart sshd
Done.