Multi-page HTML. SSH (Secure Shell) is a protocol which provides secure communications between two systems using a client-server architecture and allows users to log in to server host systems remotely.
Unlike other remote communication protocols, such as FTP or Telnet, SSH encrypts the login session, which prevents intruders to collect unencrypted passwords from the connection.Red Hat Enterprise Linux includes the basic OpenSSH packages: the general openssh package, the openssh-server package and the openssh-clients package. Note that the OpenSSH packages require the OpenSSL package openssl-libs, which installs several important cryptographic libraries that enable OpenSSH to provide encrypted communications. 7.1. SSH and OpenSSHSSH (Secure Shell) is a program for logging into a remote machine and executing commands on that machine.
(For git 1.5.1 or newer) Your identity for when you push commits. (Also okay to use the GIT environment variables.) git config -global user.name 'Your Name Comes Here' git config -global user.email [email protected] Enable colors (optional). Aug 05, 2019 For example, see the 'Clone to Desktop' and 'Download Zip' buttons to the right side of your project page. Here I will use the command line SSH clone. Note that you need to have an SSH key enabled for your computer. Under the personal profile tab on the GitHub page, go to Settings SSH keys and follow the instructions.
The SSH protocol provides secure encrypted communications between two untrusted hosts over an insecure network. You can also forward X11 connections and arbitrary TCP/IP ports over the secure channel.The SSH protocol mitigates security threats, such as interception of communication between two systems and impersonation of a particular host, when you use it for remote shell login or file copying. This is because the SSH client and server use digital signatures to verify their identities. Additionally, all communication between the client and server systems is encrypted.OpenSSH is an implementation of the SSH protocol supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The OpenSSH suite consists of the following user-space tools.
ssh is a remote login program (SSH client). sshd is an OpenSSH SSH daemon. scp is a secure remote file copy program.
sftp is a secure file transfer program. ssh-agent is an authentication agent for caching private keys. ssh-add adds private key identities to ssh-agent. ssh-keygen generates, manages, and converts authentication keys for ssh. ssh-copy-id is a script that adds local public keys to the authorizedkeys file on a remote SSH server. ssh-keyscan - gathers SSH public host keysTwo versions of SSH currently exist: version 1, and the newer version 2.
The OpenSSH suite in Red Hat Enterprise Linux 8 supports only SSH version 2, which has an enhanced key-exchange algorithm not vulnerable to known exploits in version 1.OpenSSH, as one of the RHEL core cryptographic subsystems uses system-wide crypto policies. This ensures that weak cipher suites and cryptographic algorithms are disabled in the default configuration.
To adjust the policy, the administrator must either use the update-crypto-policies command to make settings stricter or looser or manually opt-out of the system-wide crypto policies.The OpenSSH suite uses two different sets of configuration files: those for client programs (that is, ssh, scp, and sftp), and those for the server (the sshd daemon). System-wide SSH configuration information is stored in the /etc/ssh/ directory. User-specific SSH configuration information is stored in /.ssh/ in the user’s home directory. For a detailed list of OpenSSH configuration files, see the FILES section in the sshd(8) man page. Procedure.Start the sshd daemon in the current session and set it to start automatically at boot time:# systemctl start sshd# systemctl enable sshd.To specify different addresses than the default 0.0.0.0 (IPv4) or:: (IPv6) for the ListenAddress directive in the /etc/ssh/sshdconfig configuration file and to use a slower dynamic network configuration, add the dependency on the network-online.target target unit to the sshd.service unit file.
Procedure.Open the /etc/ssh/sshdconfig configuration in a text editor, for example:# vi /etc/ssh/sshdconfig.Change the PasswordAuthentication option to no:PasswordAuthentication noOn a system other than a new default installation, check that PubkeyAuthentication no has not been set and the ChallengeResponseAuthentication directive is set to no. If you are connected remotely, not using console or out-of-band access, test the key-based login process before disabling password authentication.To use key-based authentication with NFS-mounted home directories, enable the usenfshomedirs SELinux boolean:# setsebool -P usenfshomedirs 1.Reload the sshd daemon to apply the changes:# systemctl reload sshd. Procedure.To generate an ECDSA key pair for version 2 of the SSH protocol:$ ssh-keygen -t ecdsaGenerating public/private ecdsa key pair.Enter file in which to save the key (/home/joesec/.ssh/idecdsa):Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in /home/joesec/.ssh/idecdsa.Your public key has been saved in /home/joesec/.ssh/idecdsa.pub.The key fingerprint is:SHA256:Q/x+qms4j7PCQ0qFd09iZEFHA+SqwBKRNaU72oZfaCI [email protected] key's randomart image is:+-ECDSA 256-+.oo.o=. O.o.+.
o.oo.o +S.=.+.o E.+.=.+ +. Enabling key-based authentication and disabling password-based authentication.Disabling passwords for authentication and allowing only key pairs reduces the attack surface and it also might save users’ time. On clients, generate key pairs using the ssh-keygen tool and use the ssh-copy-id utility to copy public keys from clients on the OpenSSH server. To disable password-based authentication on your OpenSSH server, edit /etc/ssh/sshdconfig and change the PasswordAuthentication option to no:PasswordAuthentication no. Key types.Although the ssh-keygen command generates a pair of RSA keys by default, you can instruct it to generate ECDSA or Ed25519 keys by using the -t option. The ECDSA (Elliptic Curve Digital Signature Algorithm) offers better performance than RSA at the equivalent symmetric key strength. It also generates shorter keys.
The Ed25519 public-key algorithm is an implementation of twisted Edwards curves that is more secure and also faster than RSA, DSA, and ECDSA.OpenSSH creates RSA, ECDSA, and Ed25519 server host keys automatically if they are missing. To configure the host key creation in RHEL 8, use the [email protected] instantiated service. For example, to disable the automatic creation of the RSA key type:# systemctl mask sshd-keygen@ rsa.service.To exclude particular key types for SSH connections, comment out the relevant lines in /etc/ssh/sshdconfig, and reload the sshd service. For example, to allow only Ed25519 host keys:# HostKey /etc/ssh/sshhostrsakey# HostKey /etc/ssh/sshhostecdsakeyHostKey /etc/ssh/sshhosted25519key.
Non-default port.By default, the sshd daemon listens on TCP port 22. Changing the port reduces the exposure of the system to attacks based on automated network scanning and thus increase security through obscurity. You can specify the port using the Port directive in the /etc/ssh/sshdconfig configuration file.You also have to update the default SELinux policy to allow the use of a non-default port. To do so, use the semanage tool from the policycoreutils-python-utils package:# semanage port -a -t sshportt -p tcp portnumberFurthermore, update firewalld configuration:# firewall-cmd -add-port portnumber/tcp# firewall-cmd -runtime-to-permanentIn the previous commands, replace portnumber with the new port number specified using the Port directive. No root login.If your particular use case does not require the possibility of logging in as the root user, you should consider setting the PermitRootLogin configuration directive to no in the /etc/ssh/sshdconfig file. By disabling the possibility of logging in as the root user, the administrator can audit which users run what privileged commands after they log in as regular users and then gain root rights.Alternatively, set PermitRootLogin to prohibit-password:PermitRootLogin prohibit-passwordThis enforces the use of key-based authentication instead of the use of passwords for logging in as root and reduces risks by preventing brute-force attacks.
Using the X Security extension.The X server in Red Hat Enterprise Linux clients does not provide the X Security extension. Therefore, clients cannot request another security layer when connecting to untrusted SSH servers with X11 forwarding. Most applications are not able to run with this extension enabled anyway.By default, the ForwardX11Trusted option in the /etc/ssh/sshconfig.d/05-redhat.conf file is set to yes, and there is no difference between the ssh -X remotemachine (untrusted host) and ssh -Y remotemachine (trusted host) command.If your scenario does not require the X11 forwarding feature at all, set the X11Forwarding directive in the /etc/ssh/sshdconfig configuration file to no. Restricting access to specific users, groups, or domains.The AllowUsers and AllowGroups directives in the /etc/ssh/sshdconfig configuration file server enable you to permit only certain users, domains, or groups to connect to your OpenSSH server. You can combine AllowUsers and AllowGroups to restrict access more precisely, for example:[email protected].,[email protected].,[email protected] example-groupThe previous configuration lines accept connections from all users from systems in 192.168.1.
and 10.0.0. subnets except from the system with the 192.168.1.2 address. All users must be in the example-group group. The OpenSSH server denies all other connections.Note that using whitelists (directives starting with Allow) is more secure than using blacklists (options starting with Deny) because whitelists block also new unauthorized users or groups.
Changing system-wide cryptographic policies.OpenSSH uses RHEL system-wide cryptographic policies, and the default system-wide cryptographic policy level offers secure settings for current threat models. To make your cryptographic settings more strict, change the current policy level:# update-crypto-policies -set FUTURESetting system policy to FUTURE.To opt-out of the system-wide crypto policies for your OpenSSH server, uncomment the line with the CRYPTOPOLICY= variable in the /etc/sysconfig/sshd file. After this change, values that you specify in the Ciphers, MACs, KexAlgoritms, and GSSAPIKexAlgorithms sections in the /etc/ssh/sshdconfig file are not overridden. Note that this task requires deep expertise in configuring cryptographic options.See in the title for more information. Procedure.Define the jump host by editing the /.ssh/config file, for example:Host jump-server1HostName jump1.example.com.Add the remote server jump configuration with the ProxyJump directive to /.ssh/config, for example:Host remote-serverHostName remote1.example.comProxyJump jump-server1.Connect to the remote server through the jump server:$ ssh remote-serverThe previous command is equivalent to the ssh -J jump-server1 remote-server command if you omit the configuration steps 1 and 2.
You can specify more jump servers and you can also skip adding host definitions to the configurations file when you provide their complete host names, for example:$ ssh -J jump1.example.com, jump2.example.com, jump3.example.com remote1.example.comChange the host name-only notation in the previous command if the user names or SSH ports on the jump servers differ from the names and ports on the remote server, for example:$ ssh -J johndoe@ jump1.example.com: 75, johndoe@ jump2.example.com: 75, [email protected]: 75 [email protected]: 220.
Copyright © 2006–2020SUSE LLC and contributors. All rights reserved.Permission is granted to copy, distribute and/or modify this document underthe terms of the GNU Free Documentation License, Version 1.2 or (at youroption) version 1.3; with the Invariant Section being this copyright noticeand license. A copy of the license version 1.2 is included in the sectionentitled “ GNU Free Documentation License”.For SUSE trademarks, see. All otherthird-party trademarks are the property of their respective owners. Trademarksymbols (®, ™ etc.) denote trademarks of SUSE and its affiliates.Asterisks (.) denote third-party trademarks.All information found in this book has been compiled with utmost attention todetail. However, this does not guarantee complete accuracy.
Neither SUSE LLC,its affiliates, the authors nor the translators shall be held liable forpossible errors or the consequences thereof. Bugs and Enhancement RequestsFor services and support options available for your product, refer to.To report bugs for a product component, go to, log in, andclick Create New.User CommentsWe want to hear your comments about and suggestions for this manual andthe other documentation included with this product. Use the User Commentsfeature at the bottom of each page in the online documentation or go toandenter your comments there.MailFor feedback on the documentation of this product, you can also send amail to [email protected]. Make sure to include thedocument title, the product version and the publication date of thedocumentation. To report errors or suggest enhancements, provide a concisedescription of the problem and refer to the respective section number andpage (or URL)./etc/passwd: directory names and file names.PLACEHOLDER: replacePLACEHOLDER with the actual value.PATH: the environment variable PATH.ls, -help: commands, options, andparameters.user: users or groups.package name: name of a package.Alt, Alt – F1: a key to press or a key combination; keysare shown in uppercase as on a keyboard.File, File › SaveAs: menu items, buttons.x8664This paragraph is only relevant for the AMD64/Intel 64 architecture. Thearrows mark the beginning and the end of the text block.System z, POWERThis paragraph is only relevant for the architecturesz Systems and POWER. The arrowsmark the beginning and the end of the text block.Dancing Penguins (ChapterPenguins, ↑Another Manual): This is a referenceto a chapter in another manual.Commands that must be run with root privileges.
Often you can alsoprefix these commands with the sudo command to run themas non-privileged user. 5 About the Making of This DocumentationThis documentation is written in,a subset of.The XML source files were validated by jing (see), processed byxsltproc, and converted into XSL-FO using a customizedversion of Norman Walsh's stylesheets. The final PDF is formatted through FOPfrom.
The open source tools and the environment used tobuild this documentation are provided by the DocBook Authoring and PublishingSuite (DAPS). The project's home page can be found at.The XML source code of this documentation can be found at. 1.2 SUSE Cloud Application Platform OverviewSUSE Cloud Application Platform is a software platform for cloud-native application deploymentbased on SUSE Cloud Foundry and Kubernetes.SUSE Cloud Application Platform describes the complete software stack, including the operatingsystem, Kubernetes, and SUSE Cloud Foundry.SUSE Cloud Application Platform is comprised of the SUSE Linux Enterprise builds of the User Account and Authentication( uaa) Server, SUSE Cloud Foundry ( scf), the StratosWeb user interface, and Stratos Metrics.The Cloud Foundry code base provides the basic functionality. SUSE Cloud Foundry differentiatesitself from other Cloud Foundry distributions by running in Linux containers managedby Kubernetes, rather than virtual machines managed with BOSH, for greaterfault tolerance and lower memory use.All Docker images for the SUSE Linux Enterprise builds are hosted onregistry.suse.com. These are the commercially-supportedimages.
(Community-supported images for openSUSE are hosted on.) Productmanuals onrefer to thecommercially-supported SUSE Linux Enterprise version.Cloud Application Platform is designed to run on any Kubernetes cluster. This guide describes howto deploy it.Allocates computing resources on demand via API or Web interface.Offers users a choice of language and Web framework.Gives access to databases and other data services.Emits and aggregates application log streams.Tracks resource usage for users and groups.Makes the software development workflow more efficientThe principle interface and API for deploying applications to SUSE Cloud Application Platformis SUSE Cloud Foundry. Most Cloud Foundry distributions run on virtual machines managedby BOSH. SUSE Cloud Foundry runs in SUSE Linux Enterprise containers managed by Kubernetes.Containerizing the components of the platform itself has these advantages.Improves fault tolerance. Kubernetes monitors the health of all containers,and automatically restarts faulty containers faster than virtual machinescan be restarted or replaced.Reduces physical memory overhead.
SUSE Cloud Foundry components deployed in containersconsume substantially less memory, as host-level operations are sharedbetween containers by Kubernetes.SUSE Cloud Foundry packages upstream Cloud Foundry BOSH releases to produce containersand configurations which are deployed to Kubernetes clusters using Helm. Important: Required KnowledgeInstalling and administering SUSE Cloud Application Platform requires knowledge of Linux,Docker, Kubernetes, and your Kubernetes platform (for example SUSE CaaS Platform,Microsoft Azure Kubernetes Service, Amazon Elastic Kubernetes Service, and Google Kubernetes Engine). You must plan resource allocationand network architecture by taking into account the requirements of yourKubernetes platform in addition to SUSE Cloud Foundry requirements. SUSE Cloud Foundry is a discretecomponent in your cloud stack, but it still requires knowledge ofadministering and troubleshooting the underlying stack.You may create a minimal deployment on four Kubernetes nodes for testing.However, this is insufficient for a production deployment. A supporteddeployment includes SUSE Cloud Foundry installed on SUSE CaaS Platform, Amazon EKS, Google GKE, or Microsoft AKS.You also need a storage back-end such as SUSE Enterprise Storage or NFS, a DNS/DHCPserver, and an Internet connection to download additional packages duringinstallation and 10 GB of Docker imagesA production deployment requires considerable resources. SUSE Cloud Application Platformincludes an entitlement of SUSE CaaS Platform.
SUSE CaaS Platform requires a minimum of fourhosts: one admin and three Kubernetes nodes. SUSE Cloud Foundry is then deployed on the Kubernetesnodes. Four SUSE CaaS Platform nodes are not sufficient for a production deployment.describes a minimal productiondeployment with SUSE Cloud Foundry deployed on a Kubernetes cluster containing three Kubernetesmasters and three workers, plus an ingress controller, administrationworkstation, DNS/DHCP server, and a SUSE Enterprise Storage cluster. Figure 1.1: Minimal Example Production DeploymentNote that after you have deployed your cluster and start building andrunning applications, your applications may depend on buildpacks that arenot bundled in the container images that ship with SUSE Cloud Foundry. These will bedownloaded at runtime, when you are pushing applications to the platform.Some of these buildpacks may include components with proprietary licenses.(Seeto learn more about buildpacks, andcreating and managing your own.). List of SUSE Cloud Foundry Containers adapterPart of the logging system, manages connections to user applicationsyslog drains.api-groupContains the SUSE Cloud Foundry Cloud Controller, which implements the CF API.Kubernetes API version of at least 1.10.Ensure nodes use a mininum kernel version of 3.19.If your Kubernetes nodes have swap, then kernel parameterswapaccount=1 is set.docker info must not show aufs asthe storage driver.The Kubernetes cluster must have a storage class for SUSE Cloud Application Platform to use. Thedefault storage class is persistent.
Important things to know before deploying SUSE Cloud Application Platform.An Ingress controller (see ) is a Kubernetes resource that manages traffic to services in a Kubernetes cluster.SUSE Cloud Application Platform supports deployment on SUSE CaaS Platform. SUSE CaaS Platform is an enterprise-class container management solution that enables IT and DevOps professionals to more easily deploy, manage, and scale container-based applications and services. It includes Kubernetes to auThe Stratos user interface (UI) is a modern web-based management applicationfor Cloud Foundry. It provides a graphical management console for bothdevelopers and system administrators. Install Stratos with Helm after allof the uaa and scf pods are running.SUSE Cloud Application Platform can be integrated with identity providers to help manage authentication of users.
The Lightweight Directory Access Protocol (LDAP) is an example of an identity provider that Cloud Application Platform integrates with. This section describes the necessary components anSUSE Cloud Application Platform supports deployment on Microsoft Azure Kubernetes Service (AKS), Microsoft's managed Kubernetes service. This chapter describes the steps for preparing Azure for a SUSE Cloud Application Platform deployment, with a basic Azure load balancer. Note that you will not creThis chapter describes how to deploy SUSE Cloud Application Platform on Amazon Elastic Kubernetes Service (EKS), usingAmazon's Elastic Load Balancer to provide fault-tolerant access to yourcluster.SUSE Cloud Application Platform supports deployment on Google Kubernetes Engine (GKE).
This chapter describes the steps to prepare a SUSE Cloud Application Platform deployment on GKE using its integrated network load balancers. See for more information on You can deploy a SUSE Cloud Application Platform on SUSE CaaS Platform stack on OpenStack. This chapter describes how to deploy a small testing and development instance with one Kubernetes master and two worker nodes, using Terraform to automate the deployment.
This does not create a production deplEirini, an alternative to Diego, is a scheduler for the Cloud Foundry ApplicationRuntime (CFAR) that runs Cloud Foundry user applications in Kubernetes. For details aboutEirini, seeandCloud Application Platform, which consists of Docker images, is deployed to a Kubernetes cluster through Helm.
These images are hosted on a Docker registry at registry.suse.com. In an air gapped environment, registry.suse.com will not be accessible. You will need to create a registry, and populate i. Warning: Deprecation of cflinuxfs2 and sle12 StacksAs of SUSE Cloud Foundry 2.18.0, since our cf-deployment version is 9.5, the cflinuxfs2 stack is no longer supported, as wasadvised in SUSE Cloud Foundry 2.17.1 or Cloud Application Platform 1.4.1. The cflinuxfs2buildpack is no longer shipped, but if you are upgrading from an earlierversion, cflinuxfs2 will not be removed. However, formigration purposes, we encourage all admins to move tocflinuxfs3 or sle15 as newer buildpackswill not work with the deprecated cflinuxfs2. If you stillwant to use the older stack, you will need to build an older version of abuildpack to continue for the application to work, but you will beunsupported.
(If you are running on sle12, we will beretiring that stack in a future version so start planning your migration tosle15. The procedure is described below.). APP VERSION ( appVersion in Chart.yaml)In Cloud Application Platform, the APP VERSION field indicates the Cloud Application Platformrelease that a Helm chart belongs to. This is in contrast to indicatingthe version of the application as defined in.For example, in the suse/uaa Helm chart, anAPP VERSION of 1.4 is in reference to Cloud Application Platform release 1.4and does not indicate uaa is version 1.4.CHART VERSION ( version in Chart.yaml)In Cloud Application Platform, the CHART VERSION field indicates the Helmchart version, the same as defined in.For Cloud Application Platform Helm charts, the chart version is also the release number of thecoresponding component. For example, in the suse/uaaHelm chart, a CHART VERSION of 2.16.4 also indicatesuaa is release 2.16.4. Tux kubectl get pods -namespace uaasecret-generation-1-z4nlz 0/1 Completedtux kubectl get pods -namespace scfsecret-generation-1-m6k2h 0/1 Completedpost-deployment-setup-1-hnpln 0/1 Completed Some Pods Terminate and Restart during DeploymentWhen monitoring the status of a deployment, pods can be observedtransitioning from a Running state to aTerminating state, then returning to aRunning again.If a RESTARTS count of 0 is maintained during thisprocess, this is normal behavior and not due to failing pods. It is notnecessary to stop the deployment.
During deployment, pods will modifyannotations on itself via the StatefulSet pod spec. In order to get thecorrect annotations on the running pod, it is stopped and restarted.Under normal circumstances, this behavior should only result in a podrestarting once. 3.7 DNS ManagementThe following tables list the minimum DNS requirements to run SUSE Cloud Application Platform, usingexample.com as the example domain. Your DNS management isplatform-dependent, for example Microsoft AKS assigns IP addresses to yourservices, which you will map to A records. Amazon EKS assigns host names,which you will use to create CNAMEs. SUSE CaaS Platform provides the flexibilityto manage your name services in nearly any way you wish. The chapters foreach platform in this guide provide the relevant DNS instructions.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |