Learn sshd_config and authorized_keys (on Amazon Linux 2)

Contents

Learn about sshd_config by changing the / etc / ssh / sshd_config settings of early Amazon Linux 2. Also authorized_keys.

Learn a little sshd_config

Settings that are likely to be used for the time being

meaning Corresponding part
Password authentication PasswordAuthentication
Challenge-response authentication ChallengeResponseAuthentication
Public key authentication PubkeyAuthentication
root login PermitRootLogin
Connection port Port XX(Basic 22)
SSH connection version Protocol

Amazon Linux 2 Initial Settings

Setting



#Port 22

#PubkeyAuthentication yes
# the setting of "PermitRootLogin without-password".

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

#PermitRootLogin yes

What kind of setting is good

When I checked, the following settings came out in common.

-Prohibition of root login ・ Prohibition of password authentication ・ Public key authentication ・ Only SSH connection Verison 2 is allowed ・ Disable challenge response authentication

Recommended value Set value Comparison with recommended value
Prohibition of root login #PermitRootLogin yes ×
Challenge-response authentication ChallengeResponseAuthentication no
Allow public key authentication #PubkeyAuthentication yes
Only SSH connection Verison 2 allowed I couldn't find the settings
Prohibition of password authentication PasswordAuthentication no

Where is x? Verify what happens when you try the connection for what was.

Prohibition of root login

The settings for root login in / etc / ssh / sshd_config were:

#PermitRootLogin yes

However, the official website states as follows. Amazon Linux 2

** Safe by default ** In Amazon Linux 2, remote access is restricted by using an SSH key pair and disabling remote root login. Amazon Linux 2 also reduces the risk of security vulnerabilities by reducing the number of packages installed on your instance, even though they are not required. Security updates with a severity of "Critical" or "Critical" are automatically applied at first boot.

I'm not sure if I don't try it, so I'll try it.

ss_002.JPG ss_003.JPG

Try connecting with user ** root ** using Tera Term. ...... ....... ........ .........

Please login as the user "ec2-user" rather than the user "root".

People, people, people, people > Nanikore <  ̄Y^Y^Y^Y^Y^Y^ ̄

As a result, I could not log in as root as officially, but the above statement output when logging in as root is I wanted to know where it was set, so I looked it up and found that it was set below.

/root/.ssh/authorized_keys
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ec2-user\" rather than the user \"root\".';echo;sleep 10" ssh-rsa <String> <Key pair name>

The above is the option of authorized_keys, and it seems that you can set various settings. I did not know that. In this case, it is listed before ssh-rsa.

option meaning
no-port-forwarding Setting to prohibit port forwarding
no-agent-forwarding Authentication agent transfer prohibition setting
no-X11-forwarding X11(screen)Transfer prohibition setting
command="command" Setting executable commands

If you delete the option, you can log in as root ...? So, after taking a backup, try deleting before ssh-rsa.

# cp -p /root/.ssh/authorized_keys /root/.ssh/authorized_keys_yyyymmdd
# ls -a /root/.ssh/
# vi /root/.ssh/authorized_keys
# cat /root/.ssh/authorized_keys
# systemctl restart sshd.service

Now that the authorized_keys settings have been reflected, try a new SSH connection.

ss_005.JPG It's done. I will check the user just in case.

# whoami
root

I was able to log in. Let's see what happens if you change ** # PermitRootLogin yes ** in sshd_config as follows without the authorized_keys option. (Change before) #PermitRootLogin yes

(After change) PermitRootLogin no

Make a backup of sshd_config and check if you have a backup. After that, change the settings to reflect the settings.

# cp -p sshd_config sshd_config_yyyymmdd
# ls -l
# vi /etc/ssh/sshd_config
# systemctl restart sshd.service

Now try root login with a new connection. ss_003.JPG

ss_006.JPG

**certification failed. I can't log in to root with the message Please try again **. So, by default, the authorized_keys option prevents you from logging in. If you remove that option, it will not be PermitRootLogin no in sshd_config. I found that I can log in as root.

result

sshd_config authorized_keys Connection availability
#PermitRootLogin yes With options ×
#PermitRootLogin yes No options
PermitRootLogin no With options ×
PermitRootLogin no No options ×

It turns out that it is better to set PermitRootLogin no in sshd_config.

Only SSH connection Verison 2 allowed

Select [** SSH1 **] for SSH version (V) in Tera Term and click [OK]. ss_000.JPG

ss_001.JPG

... .... .....

People, people, people, people > I can't <  ̄Y^Y^Y^Y^Y^Y^ ̄

There was no Protocol setting in / etc / ssh / sshd_config, but I wondered why. It is said that SSH v1 was abolished in OpenSSH 7.4. In other words, it becomes SSH v2 without doing anything. OpenSSH 7.4/7.4p1 (2016-12-19)

  • This release removes server support for the SSH v.1 protocol.

Let's check which version Amazon Linux 2 is.

# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

It was OpenSSH 7.4p1.

result

Since SSH v1 was abolished from OpenSSH_7.4, it became SSH v2 without doing anything special.

the end

Finally, I would like to compare again.

Recommended value Set value Comparison with recommended value
Prohibition of root login #PermitRootLogin yes
Challenge-response authentication ChallengeResponseAuthentication no
Allow public key authentication #PubkeyAuthentication yes
Only SSH connection Verison 2 allowed I couldn't find the settings
Prohibition of password authentication PasswordAuthentication no

It turns out that the initial Amazon Linux 2 settings are fine with the above recommendations without any settings. I learned a lot because there were so many things I didn't know.

Recommended Posts

Learn sshd_config and authorized_keys (on Amazon Linux 2)
Recording and playback on Linux
Put jenv on Amazon Linux
Install tomcat 5.5 on Amazon Linux.
Compile and install MySQL-python for python2.7 on amazon linux
Use sshpass on Amazon linux2
Install Homebrew on Amazon Linux 2
Install strongSwan 5.9.1 on Amazon Linux 2
Install LAMP on Amazon Linux 2 and build a WordPress environment.
Install Python Pillow on Amazon Linux
Install oracle java8 on amazon linux2
Try installing OpenAM on Amazon Linux
[Note] Install Imagick on Amazon Linux2
[Note] Run Django on Amazon Linux 2
Run docker-compose on Amazon Linux2 on ARM64
Introduce Python 3.5.2 environment on Amazon Linux
Run cron on Amazon Linux (set on Linux)
Summary of installing PHP7.2 on EC2 (Amazon Linux 2) and setting php.ini
I'll install Ruby on EC2 (Amazon Linux2) 2020
Install wsl2 and master linux on windows
Use Numpy, Scipy, scikit-learn on Amazon Linux
How to update php on Amazon linux 2
Install and launch k3s on Manjaro Linux
Build an LNPP environment on Amazon Linux 2
Install and Configure TigerVNC server on Linux
Upgraded mysql on Cloud9 (Amazon Linux) (5.5 to 5,7)
How to install Anisble on Amazon Linux 2
Run Keycloak on Amazon Linux 2 without Docker
Replacing rmtrash on Mac and replacing rm on Linux
Install Python 3.8, Pip 3.8 on EC2 (Amazon Linux 2)
Install Python3 and Django on Amazon Linux (EC2) and run your web server
Invert screen output vertically and horizontally on linux
Install PHP 7 series on Amazon Linux 2 with Amazon Linux Extras
How to create a Python 3.6.0 environment by putting pyenv on Amazon Linux and Ubuntu
[AWS EC2] How to install only MySQL client on Amazon Linux 2 and connect to RDS
Specify the volume on linux and make a sound
Maintain directory structure on Linux and move old files
Create Amazon Linux with AWS EC2 and log in
Build Apache HTTP Server and Wildfly on Oracle Linux 8
Create an environment for MkDocs on Amazon Linux (attempted)
MySQL installation on Aws Linux 2 and test data preparation
Install Docker on Arch Linux and run it remotely
[AWS EC2] How to install Maven on Amazon Linux 2
How to build a Python environment on amazon linux 2
Announcing the availability of Java 11 LTS on Amazon Linux 2
[AWS] How to expand disk space on Amazon linux
Daemonizing processes on Linux
Linux (WSL) on Windows
NAT router on Linux
Develop .NET on Linux
Wake on lan on Linux
OpenVPN Summary + Amazon Linux2
Monitor traffic on Linux
Linux: files and directories
Update vscode on linux
Try NeosVR on Linux
Check capacity on Linux
[Personal memo] Install the latest Java on Amazon Linux that already contains Java and switch the version
LiveUSB creation on Linux
Linux operation on Win10
Notes on building TinyEMU and booting the Linux kernel on Emscripten