Learn sshd_config and authorized_keys (on Amazon Linux 2)

Contents

Learn about sshd_config by changing the / etc / ssh / sshd_config settings of early Amazon Linux 2. Also authorized_keys.

Learn a little sshd_config

Settings that are likely to be used for the time being

Amazon Linux 2 Initial Settings

Setting

#Port 22

#PubkeyAuthentication yes
# the setting of "PermitRootLogin without-password".

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

#PermitRootLogin yes

What kind of setting is good

When I checked, the following settings came out in common.

-Prohibition of root login ・ Prohibition of password authentication ・ Public key authentication ・ Only SSH connection Verison 2 is allowed ・ Disable challenge response authentication

Where is x? Verify what happens when you try the connection for what was.

Prohibition of root login

The settings for root login in / etc / ssh / sshd_config were:

#PermitRootLogin yes

However, the official website states as follows. Amazon Linux 2

** Safe by default ** In Amazon Linux 2, remote access is restricted by using an SSH key pair and disabling remote root login. Amazon Linux 2 also reduces the risk of security vulnerabilities by reducing the number of packages installed on your instance, even though they are not required. Security updates with a severity of "Critical" or "Critical" are automatically applied at first boot.

I'm not sure if I don't try it, so I'll try it.

Try connecting with user ** root ** using Tera Term. ...... ....... ........ .........

Please login as the user "ec2-user" rather than the user "root".

People, people, people, people ＞ Nanikore < ￣Y^Y^Y^Y^Y^Y^￣

As a result, I could not log in as root as officially, but the above statement output when logging in as root is I wanted to know where it was set, so I looked it up and found that it was set below.

/root/.ssh/authorized_keys
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ec2-user\" rather than the user \"root\".';echo;sleep 10" ssh-rsa <String> <Key pair name>

The above is the option of authorized_keys, and it seems that you can set various settings. I did not know that. In this case, it is listed before ssh-rsa.

If you delete the option, you can log in as root ...? So, after taking a backup, try deleting before ssh-rsa.

# cp -p /root/.ssh/authorized_keys /root/.ssh/authorized_keys_yyyymmdd
# ls -a /root/.ssh/
# vi /root/.ssh/authorized_keys
# cat /root/.ssh/authorized_keys
# systemctl restart sshd.service

Now that the authorized_keys settings have been reflected, try a new SSH connection.

• I don't think there is one, but if something goes wrong, it will be a problem, so I will keep the current connection.

It's done. I will check the user just in case.

# whoami
root

I was able to log in. Let's see what happens if you change ** # PermitRootLogin yes ** in sshd_config as follows without the authorized_keys option. (Change before) #PermitRootLogin yes

(After change) PermitRootLogin no

Make a backup of sshd_config and check if you have a backup. After that, change the settings to reflect the settings.

# cp -p sshd_config sshd_config_yyyymmdd
# ls -l
# vi /etc/ssh/sshd_config
# systemctl restart sshd.service

Now try root login with a new connection.

**certification failed. I can't log in to root with the message Please try again **. So, by default, the authorized_keys option prevents you from logging in. If you remove that option, it will not be PermitRootLogin no in sshd_config. I found that I can log in as root.

result

It turns out that it is better to set PermitRootLogin no in sshd_config.

Only SSH connection Verison 2 allowed

Select [** SSH1 **] for SSH version (V) in Tera Term and click [OK].

... .... .....

People, people, people, people ＞ I can't < ￣Y^Y^Y^Y^Y^Y^￣

There was no Protocol setting in / etc / ssh / sshd_config, but I wondered why. It is said that SSH v1 was abolished in OpenSSH 7.4. In other words, it becomes SSH v2 without doing anything. OpenSSH 7.4/7.4p1 (2016-12-19)

• This release removes server support for the SSH v.1 protocol.

Let's check which version Amazon Linux 2 is.

# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

It was OpenSSH 7.4p1.

result

Since SSH v1 was abolished from OpenSSH_7.4, it became SSH v2 without doing anything special.

the end

Finally, I would like to compare again.

It turns out that the initial Amazon Linux 2 settings are fine with the above recommendations without any settings. I learned a lot because there were so many things I didn't know.