RHCE - Part7 - ssh | SysAdmin Playfield

server = srv.example.local
client = 192.168.2.20/24

SSHD

Add SELinux context to allow sshd listening on a non-standard port:

# semanage port -at ssh_port_t 3000 -p tcp

Configure /etc/ssh/sshd_config:

# vi /etc/ssh/sshd_config
[...]
Listen 22
Listen 3000
[...]
PermitRootLogin yes
[...]
PubkeyAuthentication yes
[...]

Note: option “PermitRootLogin yes” is NOT RECOMMENDED. Instead, use a user present on both server and client (an ldap user account is the best option).

Add firewall rule:

# firewall-cmd --permanent --add-port=3000/tcp
# firewall-cmd --reload

Or, a rich-rule:
# firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=192.168.2.20 port port=3000 protocol=tcp accept'
# firewall-cmd --reload

Restart sshd:

# systemctl restart sshd

SSH CLIENT

Create public/private RSA key pair:

# ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): enter
Enter passphrase (empty for no passphrase): enter
Enter same passphraase again: enter
[...]

Use ssh-copy-id to send the public key to the server:

# ssh-copy-id -i ~/.ssh/id_rsa.pub -p 3000 root@srv.example.local
The authenticity of the host '[srv.example.local]:3000 [...] can't be established.
Are you sure you want to continue connecting (yes/no)? yes
[...]
root@srv.example.local's password: root_password
Number of key(s) added: 1
[...]

Password-less key pair authentication:

# ssh -p 3000 root@srv.example.local