Note: This is an RHCSA 7 exam objective and an RHCE 7 exam objective.
Presentation
Instead of connecting through login/password to a remote host, SSH allows you to use key-based authentication. To set up key-based authentication, you need two virtual/physical servers that we will call server1 and server2.
Configuration Procedure
On the server1, create a user user01 with password user01:
# useradd user01 # passwd user01 Changing password for user user01. New password:your passwordRetype new password:your passwordpasswd: all authentication tokens updated successfully.
On the server2, create the same user with password user01:
# useradd user01 # passwd user01 Changing password for user user01. New password:your passwordRetype new password:your passwordpasswd: all authentication tokens updated successfully.
On the server1, connect as this new user:
# su - user01
Generate a private/public pair for key-based authentication (here rsa key with 2048 bits and no passphrase):
[user01@server1 ~]$ ssh-keygen -b 2048 -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/user01/.ssh/id_rsa): return Created directory '/home/user01/.ssh'. Enter passphrase (empty for no passphrase): return Enter same passphrase again: return Your identification has been saved in /home/user01/.ssh/id_rsa. Your public key has been saved in /home/user01/.ssh/id_rsa.pub. The key fingerprint is: 6d:ac:45:32:34:ac:da:4a:3b:4e:f2:83:85:84:5f:d8 user01@server1.example.com The key's randomart image is: +--[ RSA 2048]----+ | .o | | ... | | . o .o . | |. o E . * | | o o o S = | | o + . + | | .+.o . | | .+= | | .oo | +-----------------+
Still on server1, copy the public key to server2.
[user01@server1 ~]$ ssh-copy-id -i .ssh/id_rsa.pub user01@server2.example.com The authenticity of host 'server2.example.com (192.168.1.49)' can't be established. ECDSA key fingerprint is 67:79:67:88:7f:da:31:49:7b:dd:ed:40:af:ae:b6:ae. Are you sure you want to continue connecting (yes/no)? yes /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys user01@server2.example.com's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'user01@server2.example.com'" and check to make sure that only the key(s) you wanted were added.
On the server2, edit the /etc/ssh/sshd_config file and set the following options:
PasswordAuthentication no PubkeyAuthentication yes
Note: Don’t hesitate to set up a virtual console access on server2, this will avoid re-installing the physical/virtual server if something goes wrong.
Restart the sshd service:
# systemctl restart sshd
Testing Time
On the server1 as user01, connect to the server2:
[user01@server1 ~]$ ssh server2.example.com
Note1: This configuration can also be done for the root account.
Note2: Use -v, -vv, or -vvv options to get some debug information.
Additional Resources
Bob Cromwell wrote a series of articles about setting up SSH keys for easier and more secure authentication, setting up a SSH key-agent, easily maintaining multiples websites with SSH and ways to manage your SSH keys and identities.
Beyond the exam objectives, Scott Lowe explains how to build a bastion SSH.
Thank you, this is the best guide I’ve seen for this task. I’ll be using this site more in the future to prepare for my RHCSA.
Thanks.
Hi CertDepot,
I think it is also advisable to set the “PermitRootLogin” to “no” on server2 based on your example? Don’t know if this is a good idea and if I will do this on the exam.
The PermitRootLogin no directive is mainly necessary if you don’t use key-based authentication. If you use key-based authentication, you can set it or not, there is no strict requirement.
Also, if you use a configuration management tool like Ansible, you will have to allow Ansible to connect as root on your servers to apply the needed changes, and you will not be able to use the PermitRootLogin no directive anymore.
During the exam, I don’t think wasting time with this directive will be useful.
Thanks CertDepot!
Hello,
I cannot ssh-copy-id for user created on IPA server (ipa user-add). I cant even log in via SSH under this user. For local users it works.
Is it a problem in terms of the exam? Should I dig into it?
Is it necessary to know SSH agent configuration steps?
No, you only need to know the meaning of the main directives.
I ask to anyone who took the exam: I would like to know if during the exam I will be allowed to ssh from the host to the exam VM to perform task, instead of being forced to use the raw console (no copy and past for example…). It would be useful to know also if I will be allowed, for simplicity, to ssh-copy-id from host to vm so I won’t have to login with password (better time management!)
Thank you very much
The answer is most likely, however if this is not the case, you need to be able to install /configure the service. Take note of any exam questions about what IP or address should access the services.