Настройка ssh oracle linux

Configuring SSH Tunnels in Oracle Linux

This tutorial provides step by step procedures to configure SSH tunnels for network traffic. SSH tunnels or SSH forwarding encapsulates specific TCP traffic and enables it to traverse the network through an SSH connection. This tutorial is targeted at users of Oracle Linux 8 or later.

Objectives

This tutorial teaches you how to configure the following types of SSH tunneling:

What Do You Need?

  • A remote SSH system with the some configured services, such as web services, VNC services, Cockpit, etc to be used by remote clients.
  • A client system with appropriate software installed, such as a desktop viewer to use VNC services.

Configuring SSH Tunneling

Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.

Configuring SSH dynamic port forwarding

Dynamic port forwarding enables communications across a range of ports by making SSH act as a SOCKS proxy server.

Note: Unless instructed otherwise, you must run all the commands in this section from your SSH client desktop.

  1. If you are currently connected to ol8-server in a terminal window, type exit to disconnect from the instance. Alternatively, open a new tab for a separate terminal window.
  2. Open an ssh connection to ol8-server while using the -D option and specifying a port number to use locally. The -D option indicates that the connection uses dynamic port forwarding.
  • -N prevents the execution of remote commands.
  • -f indicates that the connection is forked into the background.
  • sleep specifies a waiting period in seconds that the tunnel waits for a connection before the tunnel closes.
curl -w '\n' --socks5 localhost:8080 ifconfig.me 

By using the dynamic port forwarding service, you can redirect or forward TCP traffic from one system to another over a secure connection. This service functions as a rudimentary VPN. Thus, you can configure a local web browser to use the SOCKS proxy for forwarded browsing. Or, as an alternative, you can configure SOCKS proxy settings by defining a variable as follows, and then retest with the curl command.

export _proxy="socks5://localhost:8080" curl -w '\n' ifconfig.me 

Other mechanisms can be used to force all TCP traffic through your SSH connection. However, these are beyond the scope of this tutorial. In addition, alternative methods might be preferable than using SSH tunnels for this purpose.

Читайте также:  Развернуть образ img linux

Configuring SSH local port forwarding

Local port forwarding over SSH maps a local port on the client system to a remote port on the server system. This configuration enables you to access services on the remote system that are otherwise inaccessible because the services might be running behind a firewall or might not be listening on a public network interface.

Cockpit is a good example of such a service. Typically, if you want to run the Cockpit web console for a system that is connected to the Internet, the service would be exposed on a public facing network, which is not advisable.

For this demonstration, the ol8-server is configured for security as follows:

  • The instance is preconfigured to run the Cockpit service.
  • The instance is running a firewall service.
  • The Cockpit port is not open.

Note: Unless instructed otherwise, all the commands must be typed from your SSH client desktop.

  1. If you are currently connected to the ol8-server in a terminal window, type exit to disconnect from the instance. Alternatively, open a new tab for a separate terminal window.
  2. Verify the inaccessibility of the Cockpit service. On a browser, open the Cockpit web console to ol8-server through its IP address. Note that the connection does not succeed. http://:9090/ The connection does not succeed.
  3. On the terminal window, open an SSH connection to ol8-server by using local port forwarding. The -L option maps a port on the local host to a port on the server.
ssh -L 9090:localhost:9090 oracle@
  • -N prevents the execution of remote commands.
  • -f indicates that the connection is forked into the background.
  • sleep specifies a waiting period in seconds that the tunnel waits for a connection before the tunnel closes.

By using the Cockpit web console, you can remotely manage the instance even though the service itself is not exposed on any public facing network.

Video Demonstration

The video tutorial Using SSH Tunnels With Oracle Linux 8 gives more examples for configuring different types of SSH tunnels. Note that while the lab exercises demonstrated SSH tunneling by using the Cockpit service, this video uses VNC and web services for its examples. All of them together show how, through SSH port forwarding, you can access and avail of a remote system’s services.

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

Читайте также:  Sophos anti virus linux

For product documentation, visit Oracle Help Center.

Configuring SSH Tunnels in Oracle Linux

Copyright © 2021, Oracle and/or its affiliates.

Источник

Настройка ssh oracle linux

To set up the SSH server, install the openssh and openssh-server packages and enable the sshd service. Then, you can modify settings within the configuration files found in the /etc/ssh directory.

Installing OpenSSH Server and Enabling sshd

A default Oracle Linux installation includes the openssh and openssh-server packages, but the sshd service is not enabled by default.

    If necessary, install or update the openssh and openssh-server packages:

sudo dnf install openssh openssh-server
sudo systemctl start sshd sudo systemctl enable sshd

You can set sshd configuration options for features such as Kerberos authentication, X11 forwarding, and port forwarding in the /etc/ssh/sshd_config file. For more information, see the sshd(8) and sshd_config(5) manual pages.

Modifying OpenSSH Server Configuration Files

To configure specific OpenSSH settings, modify the global configuration files in the /etc/ssh directory. These files include:

  • moduli Contains key-exchange information that is used to set up a secure connection.
  • ssh_config Contains default client configuration settings that can be overridden by the settings in a user’s ~/.ssh/config file.
  • ssh_host_rsa_key Contains the RSA private key for SSH2.
  • ssh_host_rsa_key.pub Contains the RSA public key for SSH2.
  • sshd_config Contains configuration settings for the sshd service.

You can configure other files in the /etc/ssh directory. For details, see the sshd(8) manual page.

For Oracle Linux 8 or later, files saved in the /etc/ssh/sshd_config.d directory override any settings defined in the /etc/ssh/sshd_config configuration file.

For more information, see the ssh_config(5) , sshd(8) , and sshd_config(5) manual pages.

Restricting Access to SSH Connections

The Secure Shell (SSH) allows protected, encrypted communications with other systems. Because SSH is an entry point into the system, disable SSH if it is not required. Alternatively, you can edit the /etc/ssh/sshd_config file to restrict its use.

After making changes to the configuration file, you must restart the sshd service for the changes to take effect.

Set PermitRootLogin to no , to prohibit root from logging in with SSH. A user should instead elevate their privlages after logging in.

You can restrict remote access to certain users and groups by specifying the AllowUsers , AllowGroups , DenyUsers , and DenyGroups settings, for example:

DenyUsers carol dan AllowUsers alice bob

The ClientAliveInterval and ClientAliveCountMax settings cause the SSH client to time out automatically after a period of inactivity, for example:

# Disconnect client after 300 seconds of inactivity ClientAliveCountMax 0 ClientAliveInterval 300

Disable Password Authentication

Читайте также:  Make directory command in linux

The PasswordAuthentication and PubkeyAuthentication settings determine whether the SSH client permits users to authenticate with a password or an SSH public key. OpenSSH accepts user passwords for authentication by default, but once you have configured more secure key based authentication you can optionally disable that functionality:

PasswordAuthentication no PubkeyAuthentication yes

For more information, see the sshd_config(5) manual page.

Configuring the OpenSSH Server For User Access

User-specific configuration on the server side of a connection is in the $HOME/.ssh directory and usually contains the following files:

  • authorized_keys Contains the authorized public keys for a user. The server uses the signed public key in this file to authenticate a client.
  • environment Contains definitions of environment variables. This file is optional.
  • rc Contains commands that ssh runs when a user logs in, before the user’s shell or command runs. This file is optional.

For more information, see the ssh(1) and ssh_config(5) manual pages.

Related Topics

Restricting SSH Key Access to Specific Commands

You can perform additional user-specific configuration on the server side of a connection by modifying the $HOME/.ssh/authorized_key file. In addition to adding a list of SSH keys with which a user can authenticate, you can optionally impose additional restrictions on what that user can do with each of those keys.

For example, you can use the command option to configure all connections made with one key to just run a single command on the host and then immediately terminate:

command=command ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6OabJhWABsZ4F3mcjEPT3sxnXx1OoUcvuCiM6fg5s.

By using the command option, security-conscious users can restrict system accesses available to a particular key that might be used for a scripted action and which may not be passphrase protected.

You can also ensure that the key is only accepted if the inbound connection originates from your internal network by using the from option to set a permitted range of IPv4 addresses. For example, to prevent any IP addresses from outside the 192.0.2.0/24 range from connecting with an SSH key, you would append the following line to the $HOME/.ssh/authorized_key file with the correct key value:

from=192.0.2.0/24 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6OabJhWABsZ4F3mcjEPT3sxnXx1OoUcvuCiM6fg5s.

For more information, see the sshd(8) manual pages.

Good Practice Recommendations for Configuring OpenSSH Server

Oracle recommends that you follow these guidelines to secure your OpenSSH configuration against the most common remote exploits:

  • You should disable remote root user logins over SSH.
  • After you have correctly configured key based authentication, you should disable SSH password authentication.
  • Consider setting a non-standard SSH port for Internet-facing systems.

Источник

Оцените статью
Adblock
detector