Pages

Wednesday 16 May 2018

Password less Authentication via SSH service


SSH, or Secure Shell, is a protocol used to securely log onto remote systems. It is the most common way to access remote Linux and Unix-like servers.

in this blog I am explain to create ssh pem key for login on remote server and disable password authentication. 
1. Create SSH Key for User user

[root@sshserver ~]# ssh-keygen -t rsa -b 2048 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/centos.
Your public key has been saved in /root/.ssh/centos.pub.
The key fingerprint is:
SHA256:nyvUUxXSRpqpAkydVjoF9RS1Kyz1WOA6Q8THNWV+rTw root@sshserver.example.com
The key's randomart image is:
+---[RSA 2048]----+
| ...*=.=**oo|
| o ++.+o*+=.|
| o.o ..Boo +|
| . o =.= o.|
| S.*.+ E |
| .oo= . . |
| . o. |
| . . |
| .. |
+----[SHA256]-----+
[root@sshserver ~]# cd /root/.ssh/

 2. copy centos.pub key in authorized_keys file.

[root@sshserver ~]# cp ~/.ssh id_rsa.pub >> authorized_keys

3. Move centos private key into centos.pem key


[root@sshserver ~]# mv id_rsa.pub centos.pub
[root@sshserver ~]# mv id_rsa centos.pem
[root@sshserver ~]# ls -l .ssh/
total 16
-rw-------. 1 root root 616 May 16 13:33 authorized_keys
-rw-------. 1 root root 668 May 16 13:33 centos.pem
-rw-r--r--. 1 root root 616 May 16 13:33 centos.pub
-rw-r--r--. 1 root root 175 May 16 13:35 known_hosts
[root@sshserver ~]#

4. Now change below configure in sshd_config file.

[root@sshserver ~]# vim /etc/ssh/sshd_config
[root@sshserver ~]# cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes


# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no


# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
[root@sshserver ~]#


5. After changing above configure in sshd_config we need to restart sshd service. 

[root@sshserver ~]#service sshd restart

6. Now copy ssh key pem file to remote server via scp command

[root@sshserver ~]# scp centos.pem user@remote.server:/home/user

7. Now try ssh with -i option in ssh server without enter password.

[root@remote ~]# scp -i /home/user/centos.pem root@sshserver.example.com
Enjoy. 




Posted by at No comments:

Friday 4 May 2018

Configure OpenDKIM


DKIM is a way of 'signing' emails to prove they came from you. It is a form of email authentication that works via a digital signature and makes it easier to identify spoofed emails. The sending mail server signs the email with the private key, and the receiving mail server uses the public key in the domain's DNS information to verify the signature. One domain can have several DKIM keys publicly listed in DNS, but each matching private key is only on one mail server.

Installation of opendkim

[root@mail ~]# yum install opendkim -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.nbrc.ac.in
* epel: mirror1.ku.ac.th
* extras: mirror.nbrc.ac.in
* remi-safe: mirrors.thzhost.com
* rpmforge: mirror.smartmedia.net.id
* updates: mirror.nbrc.ac.in
(1/3): updates/7/x86_64/primary_db | 6.9 MB 00:00
(2/3): epel/x86_64/primary_db | 6.3 MB 00:00
(3/3): remi-safe/primary_db | 1.2 MB 00:02
Resolving Dependencies
--> Running transaction check
---> Package opendkim.x86_64 0:2.11.0-0.1.el7 will be installed
--> Processing Dependency: libopendkim(x86-64) = 2.11.0-0.1.el7 for package: opendkim-2.11.0-0.1.el7.x86_64
--> Processing Dependency: libbsd.so.0(LIBBSD_0.0)(64bit) for package: opendkim-2.11.0-0.1.el7.x86_64
--> Processing Dependency: libbsd.so.0()(64bit) for package: opendkim-2.11.0-0.1.el7.x86_64
--> Processing Dependency: libmemcached.so.11()(64bit) for package: opendkim-2.11.0-0.1.el7.x86_64
--> Processing Dependency: libmemcachedutil.so.2()(64bit) for package: opendkim-2.11.0-0.1.el7.x86_64
--> Processing Dependency: libmilter.so.1.0()(64bit) for package: opendkim-2.11.0-0.1.el7.x86_64
--> Processing Dependency: libopendbx.so.1()(64bit) for package: opendkim-2.11.0-0.1.el7.x86_64
--> Processing Dependency: libopendkim.so.11()(64bit) for package: opendkim-2.11.0-0.1.el7.x86_64
--> Running transaction check
---> Package libbsd.x86_64 0:0.8.3-1.el7 will be installed
---> Package libmemcached.x86_64 0:1.0.16-5.el7 will be installed
---> Package libopendkim.x86_64 0:2.11.0-0.1.el7 will be installed
---> Package opendbx.x86_64 0:1.4.6-6.el7 will be installed
---> Package sendmail-milter.x86_64 0:8.14.7-5.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================
Package Arch Version Repository Size
=======================================================================
Installing:
opendkim x86_64 2.11.0-0.1.el7 epel 222 k
Installing for dependencies:
libbsd x86_64 0.8.3-1.el7 epel 85 k
libmemcached x86_64 1.0.16-5.el7 base 237 k
libopendkim x86_64 2.11.0-0.1.el7 epel 75 k
opendbx x86_64 1.4.6-6.el7 epel 46 k
sendmail-milter x86_64 8.14.7-5.el7 base 71 k

Transaction Summary
=======================================================================
Install 1 Package (+5 Dependent packages)

Total download size: 735 k
Installed size: 1.8 M
Downloading packages:
(1/6): libbsd-0.8.3-1.el7.x86_64.rpm | 85 kB 00:00
(2/6): libmemcached-1.0.16-5.el7.x86_64.rpm | 237 kB 00:00
(3/6): sendmail-milter-8.14.7-5.el7.x86_64.rpm | 71 kB 00:00
(4/6): libopendkim-2.11.0-0.1.el7.x86_64.rpm | 75 kB 00:00
(5/6): opendbx-1.4.6-6.el7.x86_64.rpm | 46 kB 00:00
(6/6): opendkim-2.11.0-0.1.el7.x86_64.rpm | 222 kB 00:01
--------------------------------------------------------------------------------------------------------------------
Total 529 kB/s | 735 kB 00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : libbsd-0.8.3-1.el7.x86_64 1/6
Installing : libopendkim-2.11.0-0.1.el7.x86_64 2/6
Installing : libmemcached-1.0.16-5.el7.x86_64 3/6
Installing : sendmail-milter-8.14.7-5.el7.x86_64 4/6
Installing : opendbx-1.4.6-6.el7.x86_64 5/6
Installing : opendkim-2.11.0-0.1.el7.x86_64 6/6
Verifying : opendbx-1.4.6-6.el7.x86_64 1/6
Verifying : sendmail-milter-8.14.7-5.el7.x86_64 2/6
Verifying : libopendkim-2.11.0-0.1.el7.x86_64 3/6
Verifying : opendkim-2.11.0-0.1.el7.x86_64 4/6
Verifying : libbsd-0.8.3-1.el7.x86_64 5/6
Verifying : libmemcached-1.0.16-5.el7.x86_64 6/6

Installed:
opendkim.x86_64 0:2.11.0-0.1.el7

Dependency Installed:
libbsd.x86_64 0:0.8.3-1.el7 libmemcached.x86_64 0:1.0.16-5.el7
libopendkim.x86_64 0:2.11.0-0.1.el7 opendbx.x86_64 0:1.4.6-6.el7
sendmail-milter.x86_64 0:8.14.7-5.el7

Complete!
[root@mail ~]#

Generate DKIM Key for example.com domain

[root@mail ~]# opendkim-default-keygen
Generating default DKIM keys:
Default DKIM keys for example.com created in /etc/opendkim/keys.
[root@mail ~]#

Check key file on /etc/opendkim/keys directory

[root@mail ~]# cd /etc/opendkim/keys/
[root@mail keys]# ll
total 8
-rw-r----- 1 root opendkim 887 Apr 16 16:32 default.private
-rw-r--r-- 1 root opendkim 315 Apr 16 16:32 default.txt
[root@mail keys]#

Configure OpenDKIM Config file.

[root@mail keys]# vim /etc/opendkim.conf
[root@mail keys]# cat /etc/opendkim.conf
## BASIC OPENDKIM CONFIGURATION FILE
## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more

## BEFORE running OpenDKIM you must:

## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
## - generate keys for your domain (if signing)
## - edit your DNS records to publish your public keys (if signing)

## See /usr/share/doc/opendkim/INSTALL for detailed instructions.

## DEPRECATED CONFIGURATION OPTIONS
##
## The following configuration options are no longer valid. They should be
## removed from your existing configuration file to prevent potential issues.
## Failure to do so may result in opendkim being unable to start.
##
## Removed in 2.10.0:
## AddAllSignatureResults
## ADSPAction
## ADSPNoSuchDomain
## BogusPolicy
## DisableADSP
## LDAPSoftStart
## LocalADSP
## NoDiscardableMailTo
## On-PolicyError
## SendADSPReports
## UnprotectedPolicy

## CONFIGURATION OPTIONS

## Specifies the path to the process ID file.
PidFile /var/run/opendkim/opendkim.pid

## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
## messages.
#Mode v
Mode sv

## Log activity to the system log.
Syslog yes

## Log additional entries indicating successful signing or verification of messages.
SyslogSuccess yes

## If logging is enabled, include detailed logging about why or why not a message was
## signed or verified. This causes an increase in the amount of log data generated
## for each message, so set this to No (or comment it out) if it gets too noisy.
LogWhy yes

## Attempt to become the specified user before starting operations.
UserID opendkim:opendkim

## Create a socket through which your MTA can communicate.
Socket inet:8891@localhost

## Required to use local socket with MTAs that access the socket as a non-
## privileged user (e.g. Postfix)
Umask 002

## This specifies a text file in which to store DKIM transaction statistics.
## OpenDKIM must be manually compiled with --enable-stats to enable this feature.
# Statistics /var/spool/opendkim/stats.dat

## Specifies whether or not the filter should generate report mail back
## to senders when verification fails and an address for such a purpose
## is provided. See opendkim.conf(5) for details.
SendReports yes

## Specifies the sending address to be used on From: headers of outgoing
## failure reports. By default, the e-mail address of the user executing
## the filter is used (executing_user@hostname).
# ReportAddress "Example.com Postmaster" <postmaster@example.com>

## Add a DKIM-Filter header field to messages passing through this filter
## to identify messages it has processed.
SoftwareHeader yes

## SIGNING OPTIONS

## Selects the canonicalization method(s) to be used when signing messages.
Canonicalization relaxed/relaxed

## Domain(s) whose mail should be signed by this filter. Mail from other domains will
## be verified rather than being signed. Uncomment and use your domain name.
## This parameter is not required if a SigningTable is in use.
Domain example.com

## Defines the name of the selector to be used when signing messages.
Selector default

## Specifies the minimum number of key bits for acceptable keys and signatures.
MinimumKeyBits 1024

## Gives the location of a private key to be used for signing ALL messages. This
## directive is ignored if KeyTable is enabled.
#KeyFile /etc/opendkim/keys/default.private

## Gives the location of a file mapping key names to signing keys. In simple terms,
## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
## directive in the configuration file. Requires SigningTable be enabled.
# KeyTable /etc/opendkim/KeyTable
KeyTable refile:/etc/opendkim/KeyTable

## Defines a table used to select one or more signatures to apply to a message based
## on the address found in the From: header field. In simple terms, this tells
## OpenDKIM how to use your keys. Requires KeyTable be enabled.
# SigningTable refile:/etc/opendkim/SigningTable
SigningTable refile:/etc/opendkim/SigningTable

## Identifies a set of "external" hosts that may send mail through the server as one
## of the signing domains without credentials as such.
# ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts

## Identifies a set "internal" hosts whose mail should be signed rather than verified.
# InternalHosts refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts

## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
## whose mail should be neither signed nor verified by this filter. See man
## page for file format.
# PeerList X.X.X.X

## Always oversign From (sign using actual From and a null From to prevent
## malicious signatures header fields (From and/or others) between the signer
## and the verifier. From is oversigned by default in the Fedora package
## because it is often the identity key used by reputation systems and thus
## somewhat security sensitive.
OversignHeaders From

## Instructs the DKIM library to maintain its own local cache of keys and
## policies retrieved from DNS, rather than relying on the nameserver for
## caching service. Useful if the nameserver being used by the filter is
## not local.
# QueryCache yes
[root@mail keys]#

Change below in KeyTable file

[root@mail keys]# vim /etc/opendkim/KeyTable
[root@mail keys]# cat /etc/opendkim/KeyTable
# OPENDKIM KEY TABLE
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.

default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private
[root@mail keys]#

Change Below in SingingTable file

[root@mail keys]# vim /etc/opendkim/SigningTable
[root@mail keys]# cat /etc/opendkim/SigningTable
# OPENDKIM SIGNING TABLE
# This table controls how to apply one or more signatures to outgoing messages based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM "how" to apply your keys.

# To use this file, uncomment the SigningTable option in /etc/opendkim.conf,
# then uncomment one of the usage examples below and replace example.com with your
# domain name, then restart OpenDKIM.

# WILDCARD EXAMPLE
# Enables signing for any address on the listed domain(s), but will work only if
# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.
# Create additional lines for additional domains.

*@example.com default._domainkey.example.com

# NON-WILDCARD EXAMPLE
# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then
# wildcards will not work. Instead, full user@host is checked first, then simply host,
# then user@.domain (with all superdomains checked in sequence, so "foo.example.com"
# would first check "user@foo.example.com", then "user@.example.com", then "user@.com"),
# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under
# "SigningTable" for more details.

#example.com default._domainkey.example.com
[root@mail keys]#

Add Trusted Hosts and Network

[root@mail keys]# vim /etc/opendkim/TrustedHosts
[root@mail keys]# cat /etc/opendkim/TrustedHosts
# OPENDKIM TRUSTED HOSTS
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should always be the first entry in this file.
127.0.0.1
::1
mail.example.com
example.com
192.168.10.0/24
[root@mail keys]#

Add Below in Postfix Main.cf file

[root@mail keys]#
[root@mail keys]# cat /etc/postfix/main.cf



##
## add for opendkim configuration
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

[root@mail keys]#


[root@mail ~]# hash -r

 Start opendkim service and enable after reboot

[root@mail ~]# systemctl start opendkim

[root@mail ~]# systemctl enable opendkim
Created symlink from /etc/systemd/system/multi-user.target.wants/opendkim.service to /usr/lib/systemd/system/opendkim.service.
[root@mail ~]# systemctl restart postfix

[root@mail ~]#

Posted by at 1 comment:
Subscribe to: Posts (Atom)