-

C h a pter 8. C o ntro l l i n g S e rvices a n d D a e m o n s

Cont ro l l i n g Syste m S e rv i ces -

Objectives -

After com p l e t i n g t h i s sect i o n , students s h o u l d be a b l e to control system d a e m o n s a n d network

services u s i n g syst emc t l.
-

Starting and stop ping system daemons on a running

-
system
C h a n ges to a confi g u ra t i o n f i l e or ot h e r u pdates to a s e rvice m a y req u i re t h a t t h e service be
resta rted. A s e rvice that i s n o l o n g e r used may b e sto pped before re m ov i n g the softwa re. A -
service that is not freq u e n t l y used m a y be m a n u a l l y sta rted by a n a d m i n istrator o n l y w h e n it is
needed.

In this exa m p l e, p l ease fo l l ow a l o n g w i t h t h e next steps w h i l e yo u r i n structor d e m o n st rates

m a n a g i n g services o n a r u n n i n g system.
-

I [ root@serverx -]#
1. View t h e s t a t u s of a se rvice.
.
--- �-==-----i
-
�-��--- - �--- ----��- - - ---��--------�---�·

systemctl s t a t u s s s h d . se rvice
;,___ ___�

2. Verify t h a t t h e p rocess is r u n n i n g . -

[ root@serverx -]#
r---- - -----
-- ---�
----- - ---------- ------- --- -
---

j ps - up PIO
'
-

3. Stop the service and verify the status.

[ root@serverX -]# -

[ root@serverX -]#
systemc t l s t o p sshd . se rvice
systemct l s t a t u s s s h d . se rvice

-
4. Start the s e rvice a n d view the status. The p rocess ID has c h a nged.

[ root@serverX -]#
[ root@serverX -]#
systemc t l s t a r t sshd . service -
systemc t l s t a t u s s s h d . se rvice

5. Stop, t h e n sta rt, the service in a s i n g l e co m m a n d .

[ root@serverx -]#
[ root@serverx -]#
systemc t l r e s t a r t sshd . se rvice
systemc t l s t a t u s s s h d . se rvice -

6. I ss u e i n s t r u c t i o n s for a service to rea d a n d re l o a d its config u ration f i l e w i t h o u t a com p l ete

il,.-i [ root@:� rverx -]#

stop and sta rt. The process ID wi l l n ot c h a n ge.
-

[ root@serverx -]#
systemc t l reload s s h d . s e rvice -
systemc t l s t a t u s s s h d . se rvice
------- ------�

-
202 R H 1 24- R H E L 7-e n-1-20140606

-
-

...

E n a b l i n g system d a e m o n s to start o r stop at boot

-

Unit dependencies
S e rvices may be started a s d e p e n d e n cies of other services. I f a soc ket u n it is e n a b l e d a n d the
-
service u n it with t h e same name i s n ot, t h e service will a ut o m a t ica l l y be sta rted when a req u est
is made o n the n etwo r k socket. S e r v i ces m a y a l so be t r i g g e red by path u n its when a file system
condition is met. Fo r exa m p l e, a fi l e p l aced i nto t h e print spool d i rectory w i l l ca u s e t h e cups p r i n t
-
s e r v i c e to be started if it i s not r u n n i n g .

[ root@serverX -]# systemc t l s t o p cups . se rvice

Warning : Stopping cups , but it can still be activated by :
cups . path
-

cups . socket
-

To c o m p l et e l y stop p r i n t i n g s e rvices o n a syste m , stop a l l t h ree u n its. Disa b l i n g t h e service w i l l

d i sa b l e t h e d e p e n d e n c ies.
-

The syst emc t l lis t - dependencies UNIT c o m m a n d c a n be used to print out a t re e of w h a t

ot h e r u n its m u st b e started i f t h e s p e c ified u n it i s sta rted. D e p e n d i n g o n t h e e x a c t d e p e n d e n cy,
-
t h e ot h e r u n it may n e e d to be r u n n i n g before o r after t h e s p e c ified u n it sta rts. T h e - - r eve r s e
o p t i o n to t h i s com m a n d w i l l s h ow w h a t u n its need t o h a v e t h e specified u n it sta rted i n o rd e r t o
run.
-

M a s k i n g services
At t i m es, a system m a y have c o n f l i ct i n g services i n sta l l ed . Fo r exa m p l e, t h e re a re m u l t i p l e
-
methods t o m a n a g e networks ( n etwork a n d N etwork M a n a g e r) a n d fi rewa l l s (ipta b l es a n d
fi rewa l l d). To preve nt a n a d m i n istrator from a c c i d e nta l l y sta r t i n g a se rvice, that service m a y b e
-
masked. M a s k i n g w i l l c reate a l i n k i n t h e config u ra t i o n d i rectories s o t h a t i f t h e service is sta rted,
n ot h i n g will h a p p e n .

[ root@serverX -]# systemct l m a s k netwo r k

ln -s ' /dev/null ' ' /etc/systemd/system/network . service '
-

[ root@serverX -]# systemc t l unmask netwo r k

-
rm ' /etc/systemd/system/network . service '

-
Important
A d i s a b l e d service w i l l n ot be sta rted a utomatica l l y at boot or by other u n it f i l es ,
b u t c a n be s t a r t e d m a n u a l l y. A masked s e r v i c e c a n not b e started m a n ua l l y o r
- a utomatica l l y.

Enabling syste m dae mons to start or stop at boot

Start i n g a service o n a r u n n i n g syst e m does not g u a ra ntee t h a t t h e service w i l l be started
-
when the system reboots. S i m i l a r l y, sto p p i n g a service o n a r u n n i n g system wi l l not keep it from
sta r t i n g again w h e n t h e syst e m reboots. Se rvices a re started a t boot t i m e w h e n l i n ks a re c reated
i n t h e a p p ropriate sys t emd confi g u ration d i recto ries. These l i n ks a re c reated and rem oved w i t h
-
syst emc t l co m m a n d s .

I n t h i s exa m p le, p l ease fo l l ow a l o n g with t h e n e x t s t e p s w h i l e yo u r i n st r u ctor d e m o n st rates

-
e n a b l i n g and d i sa b l i n g services.

1. View t h e sta t u s of a service.

-

- R H1 24- R H E L 7-en-1-20140606 203

-
 C h a pter 8. Contro l l i n g Services a n d Daemons

[ r oot@serverX - ] # syst emct l s t a t u s sshd . service

2. D is a b l e t h e service a n d verify t h e status. N ote t h a t d i s a b l i n g a service does not stop t h e

servi ce.

[ r oot@serverX - ] # systemctl disable sshd . service

[ r oot@se rverX - ] # systemct l status sshd . service

3. E n a b l e the service and v e rify the status.

[ r oot@serverX - ] # systemctl enable sshd . service

[ r oot@ s e r v e r X - ] # systemctl is - enabled sshd . service

S u m m a ry of sys t emc t l com m a n d s

S ervices c a n b e started a n d sto pped o n a r u n n i n g system a n d e n a b l e d o r d i s a b led for automatic
start at boot t i me.

Task: Command:

V i ew deta i l ed i nfo rmation a bout a u n i t state. systemc t l s t a t u s UNIT

Stop a s e rvice o n a ru n n i ng system. systemc t l s top UNIT

Start a service o n a r u n n i ng syste m . sys t emc t l s t a r t UNIT

Restart a s e rvice on a r u n n i n g syste m . systemc t l r e s t a r t UNIT

R e load confi g u ra t i o n f i l e of a r u n n i n g service. sys t emc t l reload UNIT

C o m p letely d i s a b l e a service f ro m b e i n g sys t emc t l mask UNIT

sta rted, both m a n u a l l y a n d at boot.

M a ke a m a s ked service a va i l a bl e. sys t emc t l unmask UNIT

Confi g u re a service to start at boot t i me. s y s t emc t l enable UNIT

D i s a b l e a s e rvice from sta r t i n g at boot t i me. sys t emc t l disable UNIT

L i st u n its w h i c h a re req u i red a n d wa nted by sys t emc t l lis t - dependencies UNIT

t h e specified u n it.

:1 '

fR I Refe re n ces
sys t emd(1 ) , syst emd . uni t ( 5 ) , s y s temd . s e rvic e ( 5 ) , s y s t emd . socket ( 5 ) , a n d
syst emc t l(1) m a n pages

A d d i t i o n a l i nfo rmation may be ava i l a b l e in t h e c h a pter o n m a na g i n g serv i ces with

syst emd i n the Red Hat Enterprise Linux System Administrator's Guide for Red H a t
E n te r p rise L i n u x 7, w h i c h ca n be f o u nd a t
• h ttp: //docs.re d h at.com /

204 R H1 24-R H E L7 e n -1 - 2 0 1 40606

-
-

Practice: U s i n g sys t e m c t l to M a n a g e Services

-

P ra ct i ce: U s i n g sys t emc t l to M a n a g e

-

S e rvi ces
-

Guide d exercise
- I n t h i s l a b, you w i l l m a n a g e a service u n it t h a t is a l ready i nsta l l ed on t h e system.

Outcomes:
- The c h r o nyd service i s d i s a b l ed and no l o n g e r r u n n i n g o n t h e syste m .

Before you begin. . .

-
Reset yo u r s e rverX syste m.

0 1. O b s e rve t h e res u l ts o f sys t e mc t l r e s t a r t a n d sys t emc t l r eload c o m m a nds.

-
0 1 .1 . D i s p l ay t h e status o f t h e s s h d s e rvice. N ote t h e process I D o f t h e d a e m o n .

-
[ student@serverx -]$ s u d o systernc t l s t a t u s sshd

0 1.2. Restart t h e s s h d service and view t h e stat us. The p rocess ID of t h e daemon has
- changed.

[student@serverx -]$
[student@serverX -]$
s u d o systernc t l r e s t a r t sshd
- sudo systernct l s t a t u s sshd

0 1.3. Reload t h e sshd service and view t h e status. The p rocess ID of t h e daemon has
-
not c h a n g ed a n d c o n n ect i o n s have n ot been interru pted.

[student@serverx -]$
[student@serverx -]$
sudo systernctl reload sshd
-
sudo systernctl status sshd

- 0 2. Verify that the c h r o nyd service i s r u n n i n g .

I [ student@serverX -]$ sudo syst ernct l s t a t u s c h r onyd

-

0 3. Stop t h e c h r o nyd service a n d view t h e status.

[ student@serverX -]$
[student@serverX -]$
-
sudo sys ternctl s t op c h ronyd
sudo syst ernct l s t a t u s c h ronyd

0 4. Dete r m i n e i f t h e ch ronyd service i s e n a b l e d to start at system boot.

-
!
j
!
[ student@serverx -]$ sudo systernct l is - enabled c h ronyd

0 5. Reboot t h e system, t h e n view t h e sta t u s of t h e c h ronyd servi ce.

-

[student@serverX -]$ sudo syst e rn c t l status c h ronyd

- R H 1 24- R H E L 7-en-1 -20140606 205

-
 -

C h a pter 8. C o n t ro l l i n g Services a n d D a e m o n s
-

D 6. Disa b l e t h e c h r o nyd service so t h a t it d o e s n ot s t a r t at system b o o t , t h e n v i ew t h e

sta t u s of t h e s e rv i ce. -

[student@serverX -)$
[ student@serverx -]$
sudo systemc t l disable c h ronyd
sudo syst emc t l s t a t u s c h ronyd -

D 7. Reboot t h e syste m , t h e n view t h e sta t u s of t h e ch ronyd se rvice.

[ student@serverX -)$
-

sudo systemc t l status ch ronyd

-
206 R H124-R H EL 7-en-1-20140606

-
-

L a b : Contro l l i n g Services a n d D a e m o n s
-

La b: Co nt ro l l i n g Servi ces a n d D a e m o n s
-

-
Perfor mance checklist
I n t h i s l a b, you w i l l m a n a g e a service u n it t h a t is a l ready i n sta l l ed on t h e system.
-
Outcomes:
T h e psacct service i s e n a b l e d and r u n n i n g o n t h e syst e m , and t h e r syslog service i s d i s a b l e d
a n d n o l o n g e r ru n n i n g o n t h e syste m .
-

Before you begin •..

Reset your serverX syste m .

-

1. Sta rt t h e psacct s e rvice.

- 2. Config u re t h e psacct s e rvice s o that it sta rts at syst e m boot.

3. Stop t h e rsyslog s e rvice.

-
4. Confi g u re t h e rsyslog s e rvice so that it does not sta rt at syste m boot.

5. Reboot t h e syst e m , then run lab se rvice s g r ad e to verify t h e confi g u ra t i o n .

-

- R H 1 24- R H E L7-en-1 -20140606 2 07

-
 -

C h a pter 8. Contro l l i n g S e rvices a n d D a e m o n s

-

Solution
-

I n t h i s l a b, you w i l l m a n a g e a service u n it that is a l ready i n sta l l e d on t h e system.

O ut c o m e s :
T h e psacct service i s e n a b l e d and r u n n i n g o n the system , and the r syslog service i s d i s a b l ed
a n d n o l o n g e r r u n n in g o n t h e syste m .
-
Before you begin ...
Reset you r serverX syst e m .
-
1. S t a r t t h e p s ac c t service.

[ student@serverX
[student@serverX
- ] $ sudo systemc t l s t a r t psacct -

- ] $ sudo systemc t l status ps acc t

-
2. Conf i g u re t h e psac c t service so t h a t it starts at system boot.

[student@serverX
[student@serverX
- ] $ s u d o systemctl enable psacct
-
- ] $ sudo systemct l status psacct

3. Stop the r syslog s e rv ice. -

[student@serv erX
[student@serverX
- ] $ s u d o systemctl s t o p r syslog

L .
- ] $ sudo systemctl s t a t u s rsyslog

4. Config u re t h e r syslog s e rvice so t h a t it does not start at system boot.

[student@serverX
-

[ student@serverx
- ] $ sudo systemct l disable rsy slog
- ] $ sudo systemc t l s t a t u s r syslog
-

5. Re boot the system, t h e n r u n lab s e rvices g r ade to verify the confi g u ra t i o n .

[student@serverX
-

- ] $ lab se rvices g rade

208 R H 1 24- R H E L7-en-1-20140606 -

-

Solution
-

S u m m a ry
-

I d e nt i fy i n g A u t o m a t i ca l l y Started Syst e m Processes

Determ i n e t h e stat u s of system d a e m o n s and n etwo r k services started by sys t emd.
-

C o n t ro l l i n g System Services
Start, stop, and e n a b l e se rvices u s i n g syst emc t l.

- R H 1 24- R H E L 7 - en -1 -20140606 209

-
 -
I

,...
.
.,
I

�
I

_....,
210

�
 red h at®
® TRAINING

C H A PT E R 9

CONFIG U RING AND SECU RING

OPENSSH SERVICE

Overview

Goal To conf i g u re s e c u re c o m m a n d - l i n e access on remote

systems using O p e n S S H .

Objectives • Log i nto a remote system u s i n g ssh to run c o m m a n d s f ro m

a s h e l l p ro m pt.

• Set u p ssh to a l low sec u re password-free l o g i n s by u s i n g a

p r ivate aut h e nticat i o n key file.

• C u stomize s s h d confi g u ration to restrict d i rect logins a s

root or to d i s a b l e pa ssword-based authentication.

Sections • Acces s i n g t h e Remote C o m m a n d Line with S S H (and

Practice)

• Confi g u r i n g SSH Key-based Authentication (and Practice)

• C usto m i z i n g S S H S e rvice Conf i g u ration (and Practice)

Lab • Conf i g u r i n g a n d S e c u r i n g O p e n S S H Service

R H1 24- R H E L7-e n-1-20140606 211

 -

C h a pter 9. Config u r i n g a n d Secu r i n g O p e n S S H Service

-

Access i n g t h e Re m ote Co m m a n d L i n e wit h

-

SS H
-

Objective
Aft e r c o m p l e t i n g t h i s sect i o n , st u d e nts s h o u l d be a b l e to l o g i n to a re mote system u s i n g s s h to -

r u n com m a n d s from a s h e l l p ro m pt.

What is the Ope n SS H secure shell (SS H ) ?

T h e term O p e n S S H refers t o t h e softwa re i m p l e m e ntation o f t h e S e c u re S h e l l software used
i n t h e syste m . The O p e n S S H S e c u re S h e l l , ssh, is used to s e c u r e l y r u n a s h e l l o n a re mote -

syste m . I f you have a u s e r account o n a re mote L i n u x syste m p rovi d i n g SSH services, ssh i s t h e
c o m m a n d n o r m a l l y used to remote l y l o g i nto t h a t syste m . T h e s s h com m a n d can a l s o b e used to
run an i n d i v i d u a l com m a n d o n a re mote system. -

Secure Shell examples

-
H e re a re s o m e exa m p les of s s h com m a n d synta x for remote l o g i n a n d remote exe c u t i o n :

C reate a remote i n teractive s h e l l a s t h e cu rrent u s e r, t h e n ret u r n to yo u r prev i o u s s h e l l w h e n

-
d o n e with t h e exit co m m a n d .

[student@host - ] $ s s h remotehost
r ------------------- ------ -

student@remotehost ' s password :

[ student@remotehost - ] $ exit
-

Connection to remotehost closed .

[ student@host - ] $ -

C o n n ect t o a remote s h e l l a s a d iffe rent user ( remo t e u s e r ) o n a s e l ected host ( remo t ehos t ) :

[ student@host - ] $ s s h remoteu s er@remotehost

-

remoteuser@remotehost ' s password :

[ remoteuser@remotehost - ] $
L ____ _ _____,

• Execute a s i n g l e co m m a n d (host name) on a re mote host ( r emot ehos t ) a n d as a remote u s e r -

( r emot e u s e r ) i n a w a y t h a t ret u r n s t h e output to t h e loca l d i s p l ay:

[ student@host - ] $ s s h remoteuse r@remotehost

remoteuser@remotehost ' s password :
i h o s t n ame

remotehost . example . com

-
!

i
[student@host - ] $
L_ _,_�--��- �- -�----1
T h e w com m a n d d i s p l ays a l i st of u s e rs c u rrent l y l o g g e d i n to t h e computer. T h i s is e s p e c i a l l y
-

u s ef u l t o show w h ich u s e rs a re l o g g e d i n u s i n g s s h from w h i c h remote locations, a n d w h a t they

a re d o i n g .

[ student@host
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
-]$ -f -

student ttyl :0 Wed0B 2days 1 : 52m 0 . 07s pam : gdm-passwo

w

root tty6 12 : 33 4 : 14m 16 . 27s 15 . 74s -bash -

212 R H 1 24- R H E L 7-en-1-20140606

-

S S H host keys

student pts/0 :0.0 Wed08 5 : 11 1 . 63s 1 . 60s /usr/bin/gnome-

-

student pts/1 :0.0 Wed08 43 : 44 14 . 48s 13 . 81s vim hello . c

student pts/3 :0.0 Wed14 0 . 00s 0 . 06s 0 . 06s w
-
visitor pts/6 server2 . example . 09 : 22 3 : 14 0 . 02s 0 . 02s - bash
- I n t h i s exa m p l e, u s e r student l o g g e d i n o n v i rt u a l conso l e 1 ( t t yl) t h ro u g h t h e g ra p h i c a l l og i n
( : 0) a t a bo u t 08:00 o n Wed nesday. U s e r student c u rre nt l y h a s t h re e p s e u d o-te r m i n a l s o p e n
( p t s / 0 , p t s/1, a n d p t s/3) sta rted by t h e g ra p h i c a l e n v i ro n m ent; t h es e a re a l m ost certa i n l y
- term i n a l w i n d ows. I n o n e w i n d ow, student i s e d i t i n g hello . c. U s e r root i s l o g g e d i n o n v i rt u a l
c o n s o l e 6, sta rt i n g at 12:33 today. U s e r visitor l o g g e d i n o n pseu do-te r m i n a l 6 at 09:22 today
from the h ost se rver2.exa m p l e.com (n ote that the name h a s been t r u n cated), proba b l y u s i n g
- ssh, a n d h a s been s i tt i n g i d l e a t a s h e l l p ro m p t for t h ree m i n utes a n d 1 4 seconds.

-
SS H host keys
S S H sec u re s com m u n ication t h ro u g h p u b l ic-key e n crypt i o n . W h e n a n s s h c l ient c o n n ects to a n
S S H server, before t h e c l ient l o g s i n , t h e server s e n d s i t a copy of its public key. T h i s i s u se d to
- set u p the s e c u re e n c ryption for the com m u n i c a t i o n c h a n n e l and to a u t h e n t icate the se rve r to
the cl ient.

- The fi rst t i m e a u s e r uses s s h to c o n nect to a particu l a r server, t h e s s h co m m a n d stores t h e

serve r ' s p u b l i c k e y i n t h e user's -/ . s s h / k nown_hos t s f i l e. Every t i m e t h e user c o n n ects after
that. the c l i e n t m a kes s u re it g ets the sa m e p u b l i c key from the server by compa r i n g the serve r ' s
- e n t r y i n t h e - / . s s h / known_hos t s f i l e to t h e p u b l ic k e y t h e server s e n t . I f t h e keys do not
match, t h e c l i e nt a s s u m e s that t h e n etwo r k t raffic is b e i n g h ij a c ke d or t h a t t h e server has b e e n
c o m p r o m i s e d , a n d b r e a k s the c o n n e c t i o n .
-

T h i s m e a n s t h a t if a server's p u b l i c k e y is c h a n g e d ( b e c a u s e t h e k e y was l ost d u e to h a rd

d rive fa i l u re, or re p l aced for some l e g i t i m ate reason), users w i l l need to u pdate t h e i r
-
-I . s s h / k n own_hos t s f i l es a n d re m ove t h e o l d entry i n ord e r to l o g i n .

• Host I Ds a re sto red i n -/ . s s h / kn own_hos t s o n yo u r l oca l c l ie n t syst e m :

-

I remotehost, 192 . 168 . 0 . 101 ssh- rsa AAAAB3Nzac . . .

I

$ cat -/ . ssh/known hosts

• Host keys a re stored i n /et c / s s h / s s h_ho s t_key * o n t h e S S H server.

ssh_host_dsa_key ssh_host_key ssh_host_rsa_key

-

$ ls /etc/ssh/* key*

ssh_host_dsa_key . pub ssh_host_key . pub ssh_host_rsa_key . pub

.::: '·�:"";.
- k::SJ Note
A n even better a p p roac h i s to a d d e n t r i e s m a tc h i n g a s e rve r ' s
s s h_host_ * key . pub f i l es to u s e r -/ . s s h / known_h o s t s o r t h e system w i d e
-
/ e t c / s s h / s s h_known_hos t s i n a d va n ce w h e n t h e p u b l i c keys c h a nge. See s s h ­
copy - id(1) for a n adva nced way to m a n a g e S S H keys.

- R H1 24- R H E L 7-en-1 -20140606 213

-
 -

C h a pter 9. Confi g u ri n g a n d S e c u r i n g O p e n S S H Service

-

R References
!1
lt_ _j
-

Addit i o n a l i nfo r m a t i o n may be a va i l a b l e i n t h e c h a pter on u s i n g t h e s s h u t i l ity i n t h e

Red Hat Enterprise Linux System Administrator's Guide f o r R e d H a t Enterprise L i n u x 7,
w h i c h c a n b e fo u n d at -

http://d o c s . red h a t.com/

s s h (1 ) , w(1 ) , and hos t n ame(1 ) man pages -

214 R H 1 24- R H E L7-en-1-20140606 -

-
-

P ra c t i ce: Access i n g t h e Remote C o m m a n d L i n e

-

P ract i ce: Access i n g t h e Re m ote Com m a n d

-

Line
-

Guided exercise
-

I n t h i s l a b , st udents w i l l l o g into a rem ote system a s d i ffe rent users a n d execute co m m a nds.

Outcomes:
Students w i l l log into a re m ote syste m and execute co m m a n d s with t h e O p e n S S H sec u re s h e l l .

-
D 1. L o g i n as st u d e n t o n yo u r d esktopX m a c h i n e.

D 2. s s h to yo u r serverX m a c h i n e. Accept t h e host key if a s ked. The host key i s recorded o n

o u r l o c a l m a c h i n e t o i d e nt ify the remote m a c h i n e. T h e ssh co m m a n d w i l l fa i l to execute
-
p ro p e r l y if the re m ote s s h host a p p e a rs to have a d i fferent key than t h e record e d host
key. The host key reco rd s a re stored i n the known_h o s t s file i n t h e . ssh d i rectory i n the
-
user's h o m e d i rectory o n the l oca l syste m .

[student@desktopX -]$ s s h s tudent@se rve rX

The authenticity of host ' serverX ( 172 . 25 . X . 11 ) ' can ' t be established .
ECDSA key fingerprint is 47 : bf : 82 : cd : fa : 68 : 06 : ee : d8 : 83 : 03 : 1a : bb : 29 : 14 : a3 .
Are you sure you want to continue connecting ( yes/no )? yes
-

student@serverX ' s password : s t udent

-

D 3. R u n t h e w co m m a n d . The o u t p ut of t h e w c l e a r l y i n d i cates we have logged in a s u s e r

-
student f r o m d e s ktopX.

[student@serverX -]$ - f
i-- -

11 : 01 : 23 up 1 day, 19 : 10, 1 user, load average : 0, 0, 0

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
w

student pts/1 desktopX 11 : 01 0 . 00s 0 . 12s 0 . 09s w

-

!
'-----·---�--��
-
D 4. Execute the exit com m a n d to te r m i n ate the s e c u re s h e l l connection.

[student@serverX -] $ exit
:----- --

[ student@desktopX -] $
- !
I
j

-
D 5. This t i me, ssh to yo u r serverX m a c h i n e a s user roo t .

[student@desktopX -]$ s s h root@serverX

root@serverX ' s password : redhat
[ root@serverx -]#
-

-
D 6. R u n t h e w com m a n d a g a i n . T h i s t i m e , the o u t p u t of t h e w s hows the active c o n n ec t i o n to
the root user a c c o u n t from d e s ktopX.

[ root@serverx -]# - f
11 : 01 : 23 up 1 day, 19 : 10, 1 user, load average : 0, 0, 0
-

USER TTY FROM LOGIN@ IDLE JCPU PCPU

w

- R H 1 24- R H E L 7-en-1-20140606 21 5

-
 -

C h a pter 9. Confi g u r i n g a n d S e c u r i n g O p e n S S H S e rvice

root pts/2 desktopX 11 : 09 0 . 00s 0 . 13s 0 . 08s w

-

D 7. R u n t h e exit to t e r m i n ate t h e secure s h e l l c o n n e c t i o n .

[ root@serverx -]# exit

[student@desktopX -]$
-

-
D 8. There a re different rea sons w h y a remote host m i g ht have l e g i t i m a t e l y c h a n g e d its
host key. O n e co m m o n rea s o n i s w h e n t h e remote m a c h i n e is re p l aced beca u s e of
h a rdwa re fa i l u re, o r rei n sta l l ed. U s u a l l y, it i s a d v i s a b l e to o n l y remove the key e n t ry for
-
t h e partic u l a r host i n t h e known_ho s t s . In t h i s case, t h e re is o n l y one host e n t ry in the
known_hos t s , so i t can b e removed com p l et e l y. R e m ove t h e known_hos t s f i l e for the
user st u d e nt .

[student@desktopX -]$
-

rm -/ . s s h/known_h o s t s

D 9. ssh to serverX a s root a g a i n . Accept t h e key, log i n , a n d t h e n exit the sessi o n .

[student@desktopX -]$ s s h root@serverx

The authenticity of host ' serverX ( : : 1 ) ' can ' t be established .
-

ECDSA key fingerprint is 47 : bf : 82 : cd : fa : 68 : 06 : ee : d8 : 83 : 03 : 1a : bb : 29 : 14 : a3 .

Are you sure you want to continue connecting ( yes/no )? yes
root@serverX ' s password : redhat
[ root@serverx -]# exit
-

[student@desktopX -]$
-

D 10. Use s s h n o n -i nteractive l y to r u n t h e hos t n ame com m a n d on serverX a s r o o t .

�
[student@desktopX -]$ s s h root@serverx
-

root@serverX ' s password : redhat

h o s t name

serverX . example . com -

-
216 R H 1 24- R H E L7-en-1-20140606
-

Confi g u r i n g S S H Key-based A u t h e n t i c a t i o n
-

Confi g u ri n g SS H Key- based A u t h e nt i cat i o n

-

-
Objective
After c o m p l et i n g t h i s sect i o n , s t u d e n t s s h o u l d be a b l e to set up S S H to a l l ow s e c u re l o g i n s
w i t h o u t pa sswords b y u s i n g a p rivate a u t h e ntication key f i l e.
-

SS H key- based authe ntication

U sers c a n a u t h e nticate ssh l o g i n s w i t h o u t a pa ssword by u s i n g public key authentication. s s h
-
a l l ows u s e rs to a u t h e nt i cate u s i n g a p rivate-p u b l i c key s c h e m e. T h i s m ea n s t h a t t w o keys a re
g e n e rated, a p rivate key a n d a p u b l i c key. T h e p rivate key f i l e is used a s t h e a u t h e ntication
c red e n t i a l , and l i ke a password , m u st be kept s e c ret a n d secu re. T h e p u b l ic key is copied to
-
syst e m s the user wants to log i nto, a n d i s used to verify the private key. The p u b l i c key does not
need to b e secret. A n SSH server t h a t h a s the p u b l ic key can issue a c h a l l e n g e that can o n l y
b e a n swered b y a system h o l d i n g yo u r private key. As a res u lt, y o u c a n a u t h e nt i cate u s i n g t h e
-
p resence o f yo u r key. T h i s a l l ows you to a ccess syste ms i n a way t h a t d o e s n ' t req u i re ty p i n g a
password every t i me, but is sti l l s e c u re.
-
Key g e n e ra t i o n i s d o n e u s i n g the s s h - keygen co m m a n d . T h i s g e n e rates the p rivate key
- I . s s h / id_r s a a n d the p u b l ic key -/ . s s h / id_rs a . pub.

Note
D u r i n g key g e n e ra t i o n , t h e re is t h e o pt i o n to specify a pass p h ra s e w h i c h m ust b e
-
p rovi d e d i n o rd e r to a c c e s s yo u r private key. I n t h e eve n t t h e p rivate k e y i s sto l e n ,
it i s v e r y d i ff i c u l t f o r so m e o n e o t h e r t h a n t h e i s s u e r to u s e it w h e n p rotected w i t h a
p a ss p h rase. T h i s a d d s e n o u g h of a t i m e b u ffer to m a ke a new key p a i r a n d re m ove a l l
-
refe rences t o t h e o l d keys before t h e p rivate key c a n b e used b y a n attacker w h o h a s
crac ked it.
-
It i s a l ways wise to pass p h ra s e - p rotect the p rivate key s i n ce the key a l lows a ccess to
ot h e r m a c h i nes. H owever, t h i s m e a n s the p a s s p h rase m u st b e e n t e red w h e n ever the
key i s used, m a k i n g t h e a u t h e nt i c a t i o n p rocess n o l o n g e r password-l ess. This can be
-
a vo i d e d u s i n g s sh - ag e n t , w h i c h can b e g iven you r pass p h ra s e o n ce at t h e sta rt of the
sess i o n (using s s h - ad d ) , s o it c a n p rovi d e t h e pass p h rase a s needed w h i l e you stay
l o g g e d in.
-

For a d d i t io n a l information o n the s s h - agent com m a n d , co n s u l t t h e Red Hat System

Ad m i n istra t i o n G u ide, C h a pt e r 8.2.4.2.: Config u r i n g ssh-agent.
-

Once t h e S S H keys have bee n g e n e rated, t h ey a re stored by defa u lt i n t h e . ssh/ d i rectory of

- you r home d i recto ry. Pe r m i s s i o n s s h o u l d be 600 on t h e private key and 644 o n t h e p u b l i c key.

Befo re key- based a u t h e nticat i o n ca n be u s e d , t h e p u b l i c key needs to be copied to t h e

-
dest i n a t i o n syst e m . T h i s ca n b e d o n e w i t h s s h - copy - id.

!
I [student@desktopX -]$ ssh - copy - id root@desktopY
-
!
W h e n t h e key i s copied to a n ot h e r syste m u s i n g s s h - copy - id , it copies t h e
-
I s s h / id_r s a . p u b f i l e by defa u lt.
.

- R H 1 24- R H E L 7-en-1-20140606 217

-
 -

C h a pter 9. Config u ri n g a n d S e c u r i n g O p e n S S H Service

-

SSH key d e m o n st ra t i o n
• U s e s s h - keygen to c reate a p u b l i c- p r i vate k e y p a i r. -

[student@desktopX - ] $ s s h - keygen
Generating public/private rsa key pair .
Enter file in which to save the key (/home/student/ . ssh/id_rsa) : E n t e r
-

Created directory ' /home/student/ . ssh ' .

Enter passphrase ( empty for no passphrase) : redhat
Enter same passphrase again : redhat
Your identification has been saved in /home/student/ . ssh/id rsa .
-

Your public key has been saved in /home/student/ . ssh/id_rsa . pub .

The key fingerprint is :
a4 : 49 : cf : fb : ac : ab : c8 : ce : 45 : 33 : f2 : ad : 69 : 7b : d2 : 5a student@desktopX . example . com
The key ' s randomart image is :
-

+- - [ RSA 2048 ] - - - - +
I I -

I I
I I

.
I I

++ .
-
I * s I

o.E
I I

o oo+oo
I I

. = . * * ooo
I I

+- - - - - - - - - - - - - - - - -+
-

I I

• U s e s s h - c o py - id to copy the p u b l ic key to t h e co rrect location o n a remote system. Fo r

exa m p l e :

[student@desktopX
-

- ] $ ssh - copy - id - i -/ . s s h/id_rsa . pub root@serverX . example . com

R References
Ad d i t i o n a l i nf o r m a t i o n may be a va i l a b l e i n t h e c h a pter o n u s i n g key-based -

a u t h e nt i c a t i o n i n t h e Red Hat Enterprise Linux System Administrator's Guide for Red

Hat Enterprise L i n u x 7, which c a n b e fou n d a t
http://d o cs.re d hat.com/ -

s s h - keygen(1), s s h - copy - id (1 ) , s s h - agen t (1 ) , s s h - add(1) man pages

-

218 R H 1 24 - R H EL 7-en-1-20140606
-

P ractice: U s i n g S S H Key- based A u t h e ntication

-

P ra ct i ce: U s i n g S S H Key-based Aut h e n t i ca t i o n

-

-
Guide d exercise
I n t h i s l a b, you w i l l set u p S S H key-ba sed a u t h e nticati o n .
-
O u t c o m es :
Students w i l l set up SSH u s e r key-based a u t h e n t i c a t i o n to i n itiate SSH connections.

1.
-
D C reate a n S S H key pa i r a s s t udent o n d e s ktopX using no pass p h rase.

[student@desktopX -]$ s s h - keygen

Generating public/private rsa key pair .
Enter file in which to save the key ( /home/student/ . ssh/id_rsa) :
-

Created directory ' /home/student/ . ssh ' .

Enter

Enter passphrase ( empty for no passphrase ) : E n t e r

Enter same passphrase again : E n t e r
Your identification has been saved in /home/student/ . ssh/id rsa .
-

-
Your public key has been saved in /home/student/ . ssh/id_rsa . pub .

D 2. Send the S S H p u b l ic key to the s t u d e n t a cco u nt o n s e rverX.

-

[ student@desktopX -]$ s s h - copy - id serverX

The authenticity of host ' serverX ( 172 . 25 . X . 11) ' can ' t be established .
ECDSA key fingerprint is 33 : fa : a1 : 3c : 98 : 30 : ff : f6 : d4 : 99 : 00 : 4e : 7f : 84 : 3e : c3 .
Are you sure you want to continue connecting (yes/no )? yes
-

/usr/bin/ssh -copy-id : INFO : attempting to log in with the new key ( s ) , to filter
out any that are already installed
/usr/bin/ssh - copy-id : INFO : 1 key ( s ) remain to be installed - - if you are
prompted now it is to install the new keys
-

student@serverX ' s password : student

Number of key ( s ) added : 1
-

Now try logging into the machine, with : "ssh ' student@serverX ' "
-
and check to make sure that only the key( s ) you wanted were added .

- D 3. R u n the hos t n ame c o m m a n d by u s i n g s s h to d is p l a y the host n a m e of t h e

serverX.exa m p l e.com m a c h i n e without t h e n e e d to e n t e r a password.

[student@desktopX -]$
serverX . example . com
- s s h serverX ' ho s t name '

·· ----�-------- -------·____j

- R H1 24- R H E L7-en-1-20140606 219

-
 -

C h a pter 9. Config u r i n g a n d S e c u r i n g O p e n S S H Service

-

C u sto m i z i n g SS H S e rvice Confi g u rat i o n

-

Objective -

Aft e r com p l e t i n g t h i s sect i o n , st u d e nts s h o u l d be a b l e to customize sshd confi g u ra t i o n to rest rict

d i rect log i n s a s root o r to d i s a b l e password-based a u t h e nt i c a t i o n .
-

The OpenSSH server configuration file

W h i l e OpenSS H s e rver confi g u ra t i o n u s u a l l y does not req u i re mod ifica t i o n , a d d it i o na l s e c u rity
-
m e a s u res a re ava i l a b le.

Va rio u s a s pects of t h e O p e n S S H s e rver c a n be mod ified i n t h e confi g u rat i o n f i l e

-
/ e t c / s s h / s s hd_config.

Prohibit the root user fro m logging in using SS H -

Fro m a secu rity sta n d point. it is a d v i s a b l e to p ro h i b it t h e root u s e r from d i re ct l y l o g g i n g i nto t h e
syste m with s s h .
• T h e u s e r n a m e root exists o n every L i n u x system by defa u lt, so a pote n t i a l attacker o n l y h a s t o -

g u ess t h e password , i n stead o f a va l i d u s e r n a m e a n d pa ssword c o m b i n a t i o n .

• T h e root user has u n restricted p r i v i l eges. -

T h e OpenSSH server h a s a n i ntern a l config u ra t i o n file sett i n g to pro h i b i t a system l o g i n a s user

I #PermitRootLogin yes
root. which is comme nted o u t by defa u l t i n t h e / e t c / s s h / s s hd_config f i l e :
-

By e n a b l i n g t h e p rev i o u s o p t i o n i n t h e / e t c / s s h / s s h d_config config u ra t i o n fi l e a s fo l l ows,

the root user w i l l be u n a b l e to l o g i nto t h e syste m u s i n g the s s h com m a n d after the sshd service
h a s been resta rted: -

i
I PermitRootLogin no
I -

T h e sshd service has to be resta rted to p u t the c h a n g es i n to effect:

[ root@serverX
-
1 --- -�-�---· . -··--·�·---·· .

I - ] # sys temctl res ta rt s s hd -

L
Another opt i o n is to o n l y a l l o w key-based ssh l o g i n a s root w i t h :

I PermitRootLogin without-password
-

!
-

Prohibit password authentication using SS H

O n l y a l l o w i n g key-based l o g i n s to t h e remote c o m m a n d l i n e h a s va rious advantages: -

S S H keys a re longer than a n average pa sswo rd, which adds s e c u rity.

•

• Less effort to i n itiate remote s h e l l access after t h e i n it i a l set u p.

-

T h e re is a n o pt i o n i n t h e / e t c / s s h / s s hd_config confi g u ra t i o n f i l e w h i c h t u r n s o n password

a u t h entication by defa u l t :

220 RH124- R H E L 7-en-1 -20140606 -

-
-

P ro h i bit password a u t h e ntication u s i n g S S H

-

PasswordAuthentication yes
-

To preve nt password a ut h e n t i c a t i o n , the Pas swo rdAu t h e n t ication option has to be set to no
and the sshd service needs to b e resta rted:

I PasswordAuthentication no
-

-
Keep in m i n d that w h e n ever you c h a n g e the / e t c / s s h / s s hd_config f i l e, the sshd s e rvice h a s
t o be resta rted:

[ root@serverX -]#
-
systemc t l r e s t a r t sshd

-
References
s s h(1), s s h d_config(5) m a n pages
-

- R H1 24- R H E L 7-en-1 -20140606 221

-
 -

C h a pter 9. Config u ri n g a n d S e c u r i n g O p e n S S H S e rvice

-

P ra ct i ce: Rest rict i n g SS H Log i n s

-

Guide d exercise -

I n t h i s l a b , you w i l l e n a b l e a d d ition a l s e c u rity featu res i n O p e n S S H .

Outcomes: -

Pro h i bit d i rect SSH l o g i n a s root o n serverX; p ro h i bit users from using passwords to l o g i n
t h ro u g h S S H to s e rverX; p u b l i c key a u t h e n t i c a t i o n s h o u l d sti l l b e a l l owed f o r reg u l a r u s e rs.
-
Before you begin ...
Reset t h e d e s ktopX and serverX syste ms.
-
R u n lab s s h setup o n both des kto p X a n d serverX. T h i s wi l l create a u s e r a ccount ca l l ed
vis i t o r with a password of pas swo r d .

I [student@desktopX -]$ lab s s h s e t u p -

[student@serverx -]$
'---- ������ · ��������--'

I
....__
lab ssh s e t u p -

D 1. G e n e rate SSH keys o n desktopX, copy the p u b l i c key to the s t u d e n t account o n serverX,
-
and verify t h a t t h e keys a re w o r k i n g .

D 1 .1 . G e n e rate t h e S S H keys o n desktopX.

[student@desktopX -]$ ssh - keygen

-

Generating public/private rsa key pair .

Enter file in which to save the key (/home/student/ . ssh/id_rsa) :
Created directory ' /home/student/ . ssh ' .
Enter

Enter passphrase (empty for no passphrase ) : E n t e r

-

Enter same passphrase again : E n t e r

Your identification has been saved in /home/student/ . ssh/id_rsa .
Your public key has been saved in /home/student/ . ssh/id_rsa. pub .
-

D 1 .2 . Copy t h e S S H p u b l i c k e y to t h e s t u d e n t acco u n t o n serverX.

[student@desktopX -]$ s s h - copy - id serverx

The authenticity of host ' serverx ( 172 . 25 . X . 11) ' can ' t be established .
-

ECDSA key fingerprint is 33 : fa : a1 : 3c : 98 : 30 : ff : f6 : d4 : 99 : 00 : 4e : 7f : 84 : 3e : c3 .

Are you sure you want to continue connecting ( yes/no ) ? yes -

/usr/bin/ssh-copy-id : INFO : attempting to log in with the new key( s ) , to

filter out any that are already installed
/usr/bin/ssh-copy-id : INFO : 1 key ( s ) remain to be installed - - if you are
prompted now it is to install the new keys
-

student@serverX ' s password : s t udent

Number of key ( s ) added : 1
-

Now try logging into the machine, with : " ssh ' student@serverX ' "
and check to make sure that only the key ( s ) you wanted were added . -

D 1 .3. Verify that key-based SSH a u t h e ntication i s w o r k i n g fo r user student o n serverX.

222 R H 1 24- R H E L 7-en-1-20140606 -

-
-

G u i d e d exercise
-

[student@desktopX -]$
[student@serverX -]$
s s h s t u de n t @s e rverX

D 2. Log i nto t h e s e rverX m a c h i n e a n d o bta i n s u pe r u s e r p r i v i l eg es.

[student@desktopX -]$ s s h
-

[student@serverX -]$ su -
student@serverX

Password : redhat
[ root@serverX -]#
-

- D 3. Confi g u re S S H on serverX to preve nt root l o g i ns.

D 3.1 . As u s e r root, edit / e t c / s s h / s s hd_config o n serverX so t h a t

- " Pe r m i t RootLog i n " is u nco m m e nted a n d s e t to " no."

I PermitRootLogin no
-

I [ root@serverx -]#
D 3.2. Resta rt the S S H service on the s e rverX m a c h i ne.

-
systemct l r e s t a r t sshd

- D 3.3. Confi r m that root c a n not l o g i n with S S H , b u t s t u d e n t is perm itted to log i n .

[ student@desktopX -]$ s s h root@se rverX

Password : redhat
Permission denied, please try again .
-

Password : redhat
Permission denied, please try again .
Password : redhat
Permission denied ( publickey, gssapi- keyex, gssapi-with-mic, password )
-

[ student@desktopX -]$ ssh s t udent@se rverX

[ student@serverX -]$
-

-
D 4. Confi g u re S S H on serverX to p reve nt password a u t h e ntication.

D 4.1 . Edit t h e confi g u ra t i o n f i l e / e t c / s s h / s shd_config as user root so t h a t t h e

- " Password A u t h e ntication" e n t ry i s s e t to " no " :

PasswordAuthentication no
-

I [ root@serverX -]#
D 4.2 . Resta rt t h e S S H servi ce.
-
I
systemc t l r e s t a r t sshd

-
D 4.3. C o n f i r m t hat vis i t o r ca n not log in u s i n g a password, b u t s t u d e n t i s perm itted
to log in u s i n g the SSH keys c reated e a r l i e r.

[student@desktopX -]$ s s h visitor@serverX

Permission denied ( publickey, gssapi- keyex, gssapi-with -mic ) .
-

- R H 1 24- R H E L 7-en-1-20140606 223

-
 -

C h a pter 9. Confi g u r i n g a n d S e c u r i n g O p e n S S H Service

[student@desktopX -]$
-

[student@serverx -]$
s s h s tudent@serverx

. .-

·-

-.

-
224 RH124- R H E L7 - e n -1 -20140606

-
-

Lab: Confi g u ri n g a n d S e c u r i n g O p e n S S H Service

-

L a b : Confi g u ri n g a n d S ec u ri n g O p e n SS H
-

S e rvice
-

Perfor mance checklist

-
I n t h i s l a b, you wi l l a d d secu rity m e a s u res to t h e ssh service.

O utcomes:
-
Students w i l l set u p S S H keys, confi g u re and exc l u sive l y a l low u s e r key-ba sed a ut h e n t i c a t i o n , a n d
l o c k d o w n t h e O p e n S S H service to p revent t h e root u s e r f r o m l o g g i n g i nto t h e system b y u s i n g
-
SSH.

Before you begin ...

Reset the d e s ktopX and s e rverX systems.
-

R u n lab s s h setup a s t h e s t u d e n t u s e r o n both desktopX and serverX. T h i s wi l l c reate a user

acco u nt ca l l ed vis i t o r with a password of passwor d.

[student@desktopX -]$
-

lab s s h s e t u p

[student@serverX
-

- ] $ lab s s h s e t u p

-
U n l ess specified, a l l steps are to b e perfo r m e d a s user vis i t o r .

1. G e n e rate S S H keys o n d e s k t o p X f o r u s e r v i s i t o r a n d c o p y t h e p u b l ic k e y to t h e visit o r

-
a c c o u n t on se rve rX.

2. D i s a b l e ssh l o g i n for t h e root u s e r a n d password-based S S H a u t h e ntication on se rve rX.

-

3. Ve rify that user root is not a l l owed to l o g i n to se rve rX by u s i n g s s h , w h i l e user vis itor is w i t h
t h e p rivate key.
-

- R H 1 24- R H E L 7-en-1-20140606 225

-
 -

C h a pter 9. Confi g u ri n g a n d S e c u r i n g O p e n S S H S e rvice

-

Solution
-

I n t h i s l a b , you w i l l add secu rity mea s u res to t h e s s h se rvice.

Outcomes: -

S t u d e nts w i l l set u p SSH keys, confi g u re and exc l u s ive l y a l l ow u s e r key- based a ut h e n t i c a t i o n , a n d
l o c k down t h e O p e n S S H service to p reve nt t h e root u s e r from l o g g i n g i nto t h e syste m b y u s i n g
SSH. -

Before you begin. . .

Reset t h e d e s ktopX a n d s e rverX syst e m s . -

R u n l a b s s h s e t u p a s t h e s t u d e n t u s e r on both desktopX a n d s e r v e r X . T h i s w i l l c reate a user

account ca l l e d visit o r with a password of passwo r d . -

[student@desktopx - ] $ lab s s h s e t u p
-

[ student@serverx - ] $ lab s s h s e t u p
-

U n l ess specified, a l l steps a re to be p e rformed a s user visi t o r .

1. G e n e rate S S H keys o n d e s ktopX f o r u s e r v i s itor a n d copy t h e p u b l i c key t o t h e vis i t o r -

acco u n t o n se rve rX.

1 .1 . G e n e rate a S S H p u b l i c key o n d e s ktopX a s u s e r visitor. -

�i sitor@desktopX - ] $ s s h - keygen
-

1 .2 . I nsta l l the SSH p u b l i c key g e n e rated p rev i o u s l y o n d e s kto p X to t h e visit o r acco u n t o n

serve r X .
-

[visitor@desktopX - ] $ s s h - copy - id serverX

The authenticity of host ' serverx ( 172 . 25 . X . 11) ' can ' t be established .
ECDSA key fingerprint is xx : xx : xx : xx : xx : xx : xx : xx : xx : xx : xx : xx : xx : xx : xx : xx .
Are you sure you want to continue connecting ( yes/no )? yes
-

/usr/bin/ssh-copy-id : INFO : attempting to log in with the new key( s ) , to filter

out any that are already installed
/usr/bin/ssh -copy-id : INFO : 1 key ( s ) remain to be installed - - if you are
prompted now it is to install the new keys
-

visitor@serverX ' s password : passwo rd

Number of key ( s ) added : 1
-

Now try logging into the machine, with : " ssh ' visitor@serverX ' "
and check to make sure that only the key ( s ) you wanted were added . -

-
2. Disa b l e s s h l o g i n for t h e root u s e r a n d password-based S S H a ut h e nt i c a t i o n on serverX.

2 .1 . Log i nt o t h e s e rverX v i rt u a l m a c h i n e a s user root.

-

! [visitor@desktopX - ] $ ssh root@serverX

-

226 R H 1 24- R H E L 7-en-1-20140606 -

-
-

Solution
-

2 . 2 . Custo m i z e t h e s s h s e rvice o n serverX by d i sa b l i n g S S H c o n n e c t i o n s for t h e u s e r root

a n d o n l y a l l ow key- based l o g i n.
-

Set t h e n ecessa ry config f i l e para m et e rs i n / e t c / s s h / s s hd_config:

PermitRootLogin no
PasswordAuthentication no
-

-
2.3. Restart t h e s s h d service o n serve rX.

I
i [ root@serverx -]# systemctl r e s t a r t sshd
-
I

3. Ve rify that user root i s n ot a l l owed to l o g i n to serverX by using s s h , w h i l e user v i s itor i s with
- t h e p rivate key.

3.1 . O n a d iffe rent term i n a l w i n dow on d e s ktopX, va l idate that u s e r root ca n not con nect to
- s e rverX w i t h t h e s s h com m a n d . I t s h o u l d fa i l beca use we d i s a b l e d root l o g i n s with t h e
ssh se rvice.

[visitor@desktopX - ] $ s s h root@serverx
Permission denied ( publickey, gssapi- keyex, gssapi-with-mic ) .
-

-
3.2. Try l o g g i n g i n a s user student to se rve r X from d e s ktopX by u s i n g ssh. I t s h o u l d fa i l
because we d i d n ot a d d t h e p u b l i c key from t h a t u s e r t o t h e student acco u nt o n t h e
serverX m a c h i ne.

[visitor@desktopX - ] $ s s h st udent@se rverx

-

-
Permission denied ( publickey, gssapi- keyex, gssapi-with-mic ) .
3.3. Ve rify t h e s s h service i s sti l l accept i n g key-based a ut h e ntication by su ccessf u l l y
-
connect i n g t o serve r X a s user visitor w i t h t h e s s h c o m m a n d .

[visitor@desktopX - ] $
[visitor@serverX - ] $
s s h visito r@serverX
-

- RH124- R H E L 7-en-1 -20140606 227

-
 -

C h a pter 9. Confi g u r i n g a n d S e c u r i n g O p e n S S H Service

-

S u m m a ry
-

Access i n g t h e Remote Co m m a n d Line with S S H

T h e O p e n S S H s e rvice i s t h e sta n d a rd software to s e c u r e l y access t h e re mote c o m m a n d
-
l i ne.

Config u r i n g S S H Key-based A u t h e ntication

-
U t i l i z i n g key- based S S H a u t h e ntication adds a d d i t i o n a l secu rity to re m ote syste m s
a d m i n i st ra t i o n .

-
Custo m i z i n g S S H S e rvice Confi g u ration
The confi g u ra t i o n of t h e OpenSSH s e rvice, sshd, c a n be c h a n g e d by editing t h e f i l e I
etc/ssh/s s h d_co nfig a n d resta rt i n g t h e service w i t h systemct l .
-

228 R H 1 24- R H E L7 - e n -1-20140606 -

-
 red h at ®

®
TRAINING

CHAPTER 10

ANALYZ ING AND STORI NG LOGS

Overview:

Goal To l ocate a n d a c c u rately i nterp ret re levant system log f i l e s

for troubleshooting p u rposes.

Objectives • Describe the basic syslog arch itect u re in Red H a t

E nterprise L i n u x 7.

• I nterpret e ntries i n re levant sys log files to tro u b l e s hoot

pro b l e m s or review system stat us.

• F i n d a n d i nterpret l o g entries i n t h e systemd journal to

tro u b l e s h oot p ro b l e m s or review system status.

• C o n f i g u re systemd-j o u r n a l d to store its j o u r n a l o n d i s k

rat h e r t h a n i n memo ry.

• M a intain a c c u rate time synchronization a n d t i me zone

config u ra t i o n to e n s u re correct ti mesta m ps in system
logs.

Sections • System Log A rchitectu re (and Practice)

• Review i n g Syslog F i l e s (and P ractice)

• Reviewi n g systemd J o u r n a l E ntries (and Practice)

• Prese rving t h e systemd J o u r n a l (and Practice)

• M a i nt a i n i n g Acc u rate Time (and Practice)

Lab • A n a l y z i n g a n d Sto r i n g Logs

R H1 24- R H E L7-e n-1-20140606 229

 -

C h a pter 1 0. A n a l y z i n g a n d Sto r i n g Logs

-

Syst e m Log A rc h itect u re

-

Objectives -

After co m p l e t i n g t h i s sect i o n , stu d e n t s s h o u l d be a b l e to describe t h e b a s i c sys l og a rc h itect u re i n

Red H a t E n t e r p r i s e L i n u x 7.
-

Syste m logging
Processes a n d t h e opera t i n g syst e m ke r n e l need to be a b l e to reco rd a l o g of eve nts t h a t h a p p e n . -

T h e s e l o g s c a n be usef u l f o r a u d i t i n g t h e syst e m a n d t ro u b l es h o o t i n g p ro b l e ms. B y conve n t i o n ,

t h e /var / l o g d i rectory is w h e re t h e s e l o g s are persistent l y stored.
-

A sta n d a rd l o g g i n g system based o n the Sys l o g p rotocol i s b u i l t into Red Hat E nterprise L i n u x .
M a ny p ro g ra m s u s e t h i s system to record events a n d o rga n i ze t h e m i n t o l o g f i l es. I n R e d H a t
Enterprise L i n u x 7, sys l o g messages a re h a n d l e d b y t w o servi ces, syst emd - j o u r nald a n d -

r syslog.

The systemd - j o u r n ald d a e m o n prov i d e s a n i m p roved log m a n a g e m e n t service that col l ects -

messages from t h e ke r n e l , t h e ea r l y sta g e s of the boot process, sta n d a rd o u t p u t a n d error of

d a e m o n s as t h ey start up a n d r u n , a n d sys log. It w rites these messages to a structu red j o u r n a l
o f eve nts t hat, by defa u lt. d o e s n o t persist between reboots. T h i s a l l ows sys l o g messages a n d -

eve nts w h i c h a re m issed by sys log to b e co l l ected i n o n e c e n t ra l d a t a b a se. T h e sys l o g messages

a re a l so forwa rded by syst emd - j o u r nald to r syslog for further process i n g .
-

The r syslog s e rvice t h e n sorts t h e sys l o g messages by t y p e ( o r fa c i l ity) a n d priority, a n d w r ites

them to persistent files i n the /va r /log d i rectory.
-

The /var /log d i rectory h o l d s va r i o u s system- a n d service-specific log f i l es m a inta i n e d by

r syslog:
-

Overview o f system log files

Log f i l e P u rpose
-
/va r /log/mes s ages M ost sys l o g messages a re l o g g e d h e re. T h e exce pt i o n s a re
messages rel ated to a ut h e nt i c a t i o n a n d e m a i l p rocess i n g , t h a t
period i ca l l y r u n j o b s , a n d t hose w h i c h a re p u r e l y d e b u g g i n g - -

re lated.
/va r /log / s e c u r e The l o g f i l e for secu rity a n d a u t h e n t i c a t i o n - re l ated m e s s a g e s a n d
-
e r rors.
/var/log/maillog The log f i l e w i t h m a i l server-re l ated messages.
/va r/log/ c r o n The l o g f i l e re l ated to p e r i o d i ca l l y executed t a s ks. -

/va r /log/boot . log Messages re l a ted to syst e m sta r t u p a re logged h e re.

-

230 R H 1 24- R H E L7-en-1-20140606 -

-
-

System l o g g i n g
-

- R References
syst emd - j o u r nald . s e rvice(8), r syslogd(8), a n d r syslog . conf(5) m a n pages

- A d d it i o n a l i nfo r m a t i o n may b e ava i l a b l e in the Red Hat Enterprise Linux System

Administrator's Guide for Red H a t Enterprise L i n u x 7, w h i c h c a n be fo u n d a t
http://d o c s . re d hat.com/
-

- R H 1 24- R H E L 7-en-1 -20140606 231

-
 -

C h a pte r 1 0. A n a l yz i ng a n d Sto r i n g Logs

-

P ract ice: Syste m Log g i n g Co m p o n e nts

-

Quiz -

Match t h e fo l l o w i n g items to t h e i r cou nterparts i n t h e t a b l e.

I I
-

/va r/ l o g /va r/ l og/boot. l o g /va r/ l og /c ro n /va r/ l o g /m a i l l o g

-

/va r/l og/m e s s a g e s /va r/l og/sec u re

-

P u rpose Log fi l e

M ost sys l o g m e s s a g e s a re l og g e d h e re.

The exc e pt i o n s a re m es s a g e s re l ated to -

a u t h e nt icat i o n , e m a i l p rocess i n g , a n d t h a t
p e r i o d i ca l l y r u n j o bs , o r t h ose w h i c h a re
-
p u re l y d e b u g g i n g - re l a t e d .

T h e l o g f i l e for s e c u rity a n d a ut h e nt i cat i o n -

re l a ted m e s s a g e s a n d e r rors.
-

T h e d i rect o ry to w h i c h r sy s l o g is w r i t i n g
-
a l l t h e l o g f i l es.

T h e l og fi l e w i t h m a i l s e rv e r - re l ated
m essa g e s .
-

T h e l o g f i l e re l a t e d to p e r i o d i ca l l y exe c u t e d -

t a s ks.

M essages re l ated to syst e m sta rt u p a re

l og g e d h e re. -

232 R H 1 24- R H E L 7 - e n -1 -20140606 -

-
-

Sol ution
-

Solution
-

M a t c h t h e fo l l ow i n g ite m s to t h e i r c o u nte r p a rts i n t h e ta b l e.

Pu rpose Log f i l e

M ost sys l o g messa g es a re l og g e d h e re. /va r/I og/messages

-
T h e exce p t i o n s a re m e s s a g e s re l ated to
a u t h e n t i c at i o n , e m a i l p rocess i n g , a n d t h a t
p e r i o d i ca l l y r u n j o bs, o r t h os e w h i c h a re
-
p u re l y d e b u g g i n g - r e l a t e d .

T h e l o g f i l e for s e c u rity a n d a u t h e nt i ca t i o n - /va r/l og/s e c u re

re l at e d m essa ges a n d e r ro rs.
-

T h e d i rectory to w h ic h r s y s lo g is w r i t i n g /va r/ l o g
-
a l l t h e l o g fi l es.

T h e l o g f i l e w i t h m a i l se rve r - re l ated /va r/ l o g /m a i l l o g

messages.
-

-
T h e l o g f i l e re l a te d to p e r i o d i ca l l y executed /va r/ l o g /c ro n
t a s ks.

M es s a g e s re l ated to syst e m sta rt u p a re /va r/ l o g /boot. l o g

-
l og g e d h e re.

- R H 1 24- R H E L7·en-1-20140606 233

-
 -

C h a pter 1 0. A n a l yz i n g a n d Sto r i n g Logs

-

Rev i ew i n g Sys l og F i l es
-

Objectives -

Aft e r com p l et i n g t h i s sect i o n , students s h o u l d be a b l e to i nt e r p ret e n t r i e s i n re l eva nt sys l o g f i l e s

to t r o u b l e s hoot prob l e m s o r review syst e m sta t u s .
-

Syslog files
M a n y p ro g ra m s use t h e sys/og p rotoc o l to log eve nts to t h e syst e m . Each l o g m essage is -

categorized by a fa c i l ity (t h e type of m essage) a n d a priority (the seve rity of t h e messa g e). The
fac i l ities which a re ava i l a b l e a re d o c u m e nted by t h e r syslog . conf(5) man page.
-

T h e e i g h t p r i o rities a re a l so sta n d a rd i zed a n d ra n ked as fo l l ows:

Overview o f syslog priorit ies -

Code P r i o rity Severity

0 e m e rg Syst e m is u n us a b l e.
-

1 a l e rt A c t i o n m u st be taken i m m e d iate l y.
2 crit C r itica l condition.
-
3 err N o n - c r i t i ca l e r ro r c o n d i t i o n .
4 wa r n i n g Wa r n i n g c o n d i t i o n .
-
5 notice N o r m a l but s i g n ifica nt eve nt.
6 i nfo I nfo r m a t i o n a l event.
-
7 debug D e b u g g i n g - l ev e l message.

T h e rsys l o g d service uses t h e fac i l ity and p r i ority of l og messages to d ete r m i n e how to -

h a n d l e t h e m . This is config u red by the fi l e /et c / r syslog . conf a n d by * . conf f i l e s in

/et c / r syslog . d. P rog ra m s and a d m i n i s t rators can c h a n g e r syslogd config u ration i n a way
t h a t w i l l n ot be ove rwritten by u pdates to r syslog by putt i n g customized fi l es with a .conf s u ffix -

i n t h e /et c / r syslog . d d i recto ry.

T h e #### RU LES #### sect i o n of / e t c / r syslog . conf conta i n s d i rectives t h a t defi n e w h e re -

log messages a re saved. The l eft s i d e of e a c h l i n e i n d icates t h e fa c i l ity a n d severity of t h e l o g

m e s s a g e t h e d i rect ive matches. T h e rsys l o g .conf f i l e can conta i n t h e c h a racter * a s a w i l d ca rd
-
in t h e fa c i l ity a n d seve rity f i e l d , w h e re it e i t h e r sta n d s for a l l fa c i l ities or a l l severities. The r i g h t
s i d e of e a c h l i n e i n d i cates w h a t f i l e to s a v e t h e l o g message i n . Log m e s s a g es a re n o r m a l l y saved
in f i l e s in the /var /log d i rectory.
-

Note
-
Log f i l e s a re m a i nta i n e d by t h e r syslog servi ce, a n d t h e /var /log d i rectory conta i n s
a va riety o f l o g f i l e s specific to certa i n services. For exa m p l e, t h e A p a c h e W e b Server
or Samba w r ite their own log fi l es i nto a corres p o n d i n g s u b d i rectory of t h e /var /log -
d i recto ry.

234 R H 1 24- R H E L7-en-1-201 40606 -

-
-

S a m p l e r u l es section of r syslog . conf

-

A messa g e h a n d l e d by r syslog c a n appear i n m u l t i p l e d iffe rent l o g f i l es. To p reve nt t hat, the

seve rity field c a n b e set to none, which means that none of t h e messages d i rected to t h is fac i l ity
-
a re a d d e d to the s pecified log f i l e.

I n stead of l o g g i n g sys l o g messages to a f i l e, t h e y c a n be p r i nted to t h e te r m i n a l s of a l l logged-in

-
users. In t h e defa u l t r syslog . conf f i l e, this i s d o n e for all messages t h a t have " e m e rg " p r i o rity.

- Sample rules section of r syslog . conf

#### RULES ####

# Log all kernel messages to the console .
# Logging much else clutters up the screen .
-

#kern . * /dev/console
# Log anything ( except mail) of level info or higher .
-

# Don ' t log private authentication messages !

* . info ; mail . none ; authpriv . none ; cron . none /var/log/messages
# The authpriv file has restricted access .
-

authpriv . * /var/log/secure
# Log all the mail messages in one place .
mail . * -/var/log/maillog
-

# Log cron stuff

-

cron . * Ivar /log/cron

# Everybody gets emergency messages
* . emerg : omusrmsg : *
-

# Save news errors of level crit and higher in a special file .

uucp, news . crit /var/log/spooler
-

# save boot messages also to boot . log

local? . * /var/log/boot . log
i
-

�---
-
Note
The r syslog . conf file is d o c u m e nted by the r syslog . conf(5) man page and by
- extensive H T M L d o c u mentation in / u s r I s h are/doc / r syslog - * /manual . h t ml
conta i n e d i n t h e rsyslog-doc, w h i c h i s ava i l a b l e from t h e Red H a t E n t e r p r i s e L i n u x 7
softwa re c h a n n e l , b u t not i n c l uded o n t h e i n sta l l at i o n m e d i u m .
-

- Log file rotation

Logs are " rotate d " by t h e log r o t a t e u t i l ity to keep t h e m from fi l l i n g u p t h e fi l e system
conta i n i ng /var /log/. W h e n a l o g file is rot a t e d , it i s re n a m e d with a n exte n s i o n
-
i n d i cat i n g t h e d a t e o n w h i c h it w a s rotated: t h e o l d /var /log/me s s ag e s f i l e m a y become
/var /log/mes s ag e s - 20141030 if it is rotated o n Octo b e r 30, 2014. O n ce the old l o g fi l e i s
rotated, a new l o g fi l e i s c reated a n d the s e r v i c e t h at w rites to it is notified.
-

After a certa i n n u m be r of rota t i o n s , typica l l y after fo u r weeks, the o l d l o g fi l e i s d i scarded to free

d i s k spa ce. A cron job r u n s the l o g rotate p rog ra m d a i l y to see if a ny logs need to b e rotated. Most
-

- R H 1 24- R H E L 7-en-1-20140606 235