From Sharcnet HPC
SSH
Allow SSH Root Login From Selected IP Addresses
To secure your system better by allowing selected hosts to ssh into your system as root, you will need the Match keyword found in the /etc/ssh/sshd_config
For example, to allow only 192.168.x to be able to ssh into the system, you do the following. If you are using
Edit the SSH Config
% vim /etc/ssh/sshd_config
1. By IP Addresses
PermitRootLogin no ..... ..... # Example of overriding settings on a per-user basis Match Address 192.168.*,172.21.1.1 PermitRootlogin yes
2. By Host Name
PermitRootLogin no UseDNS yes ..... ..... # Example of overriding settings on a per-user basis Match Host *.example.com,host1.idontknow.com PermitRootlogin yes
3. By User and IP Addresses
PermitRootLogin no UseDNS yes ..... ..... # Example of overriding settings on a per-user basis Match User user1 Host *.example.com PermitRootlogin yes
Restart SSH Service
% systemctl restart sshd.service
References:
SSH and X-Forwarding on CentOS 6
I encountered this error recently when trying to X forward to another remote site.
"Warning: No xauth data; using fake authentication data for X11 forwarding."
and there was no and doesn’t display picture.
These are the steps I took to trouble-shoot
- I checked my /etc/ssh/sshd_config and noted that the I have “X11Forwarding yes”
- On my .ssh/config, I have the “ForwardX11 yes”
- But one of my parameter /etc/ssh/sshd_config “X11Uselocalhost yes”. Apparently,I was able to X11 Forward for hosts specify in my /etc/hosts file, but those outside my host file, I was not able to display the picture.
- But once I modified the “X11Uselocalhost no”, the issue was resolved.
There was this post that a user explained quite well. (http://www.authsecu.com/nntp/comp-security-ssh/19540-comp-security-ssh-what-does-%22x11uselocalhost-no%22-do.htm)
When doing X forwarding, sshd listens on a TCP socket for connections from X clients. Normally, it will accept connections addressed to the loopback address only (127.0.0.1), restricting it to clients on the local host. X11UseLocalhost no means it will accept connections from anywhere.
Building Public Key, SSH Private Key and Authorized Key
If you are rebuilding the ssh keys for a user who has accidentally destroyed their files inside .ssh directory
Step 1: Generate the Private Key
# ssh-keygen -t rsa
Step 2: Generate the Public Key from Private Key
# ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
Step 3: Generate the Authorized Key
# cat .ssh/id_rsa.pub >> .ssh/authorized_keys
Step 4: Generate Config File
# touch ~/.ssh/config
StrictHostKeyChecking no