Remote login using ssh in enforcing mode, why enforcing mode is secure?

Accessing with ssh is indispensable for both Cloud Computing and IoT. The general principle is that there is a ssh key pair at the client and the public key will be sent to the remote machine.

The following command generates ssh key pair of rsa type with size of 4096 bits:

ssh-keygen -t rsa -b 4096 [-C comment]

The private key file is ~/.ssh/id_rsa and the public key file is ~/.ssh/id_rsa.pub by default.

You can use ssh-agent which will hold private keys used for public key authentication later:

eval "$(ssh-agent -s)"

Then add your ssh private key to the ssh-agent:

ssh-add ~/.ssh/id_rsa

Assume that the remote machine already has the public key. Now you can login without typing the passphrase for the private key. See also Bring Omarine to a cloud.

Additional steps needed to perform on Omarine in enforcing mode

First, you need to modify your firewall to allow the ssh client, as the root user:

sed '/TCPOUT=/s@"$@,ssh"@' -i /lib/systemd/firewall

The keys that you created with ssh-keygen, along with the ~/.ssh directory, will have a security context with the type user_home_t. This type does not work with ssh. We need to restore the security context, become ssh_home_t, as the root user:

restorecon -R .ssh

As such, ssh must work with proper security context, which is security evidence.

If you want to change or set passphrase of the private key, use this command:

ssh-keygen -p

If you already have a key pair before using ssh-keygen, and you want to copy the key pair into ~/.ssh, use the following command to create the ~/.ssh directory with proper security context:

install -d -m700 -Z ~/.ssh

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.