CentOS has only one root user by default, but the root user's authority is too large, and it is not conducive to multi-person collaboration. For the reason of authority management and security, we build a new user for the system, and enable its SSH login, while prohibiting the root user's login;

New user

In CentOS, there is no difference between adduser and useradd:

[root@centos_7_6_1810 ~]# ll /usr/sbin/ | grep user
lrwxrwxrwx  1 root root           7 Jun 24 10:14 adduser -> useradd
-rwxr-xr-x. 1 root root       33104 Aug  3  2017 fuser
-rwxr-xr-x. 1 root root       15832 Apr 13  2018 lnewusers
-rwxr-xr-x. 1 root root       15752 Apr 13  2018 luseradd
-rwxr-xr-x. 1 root root       11576 Apr 13  2018 luserdel
-rwxr-xr-x. 1 root root       19896 Apr 13  2018 lusermod
-rwxr-xr-x  1 root root       76232 Mar 14  2019 newusers
-rwxr-xr-x  1 root root       33072 Mar 14  2019 runuser
-rwxr-xr-x. 1 root root       19720 Apr 11  2018 sasldblistusers2
-rwxr-x---  1 root root      118224 Mar 14  2019 useradd
-rwxr-x---  1 root root       80400 Mar 14  2019 userdel
-rwxr-x---  1 root root      113856 Mar 14  2019 usermod
-rwsr-xr-x. 1 root root       11376 Oct 31  2018 usernetctl

From the above command, we can see that adduser is only a soft connection of useradd command.

Use the useradd command to create a new user:

[root@centos_7_6_1810 ~]# useradd luizyao
[root@centos_7_6_1810 ~]# ls /home/
luizyao

If we want to log in with this username, we must set a password for it:

[root@centos_7_6_1810 ~]# passwd luizyao
Changing password for user luizyao.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Then we can use this user to log in to the system:

[luizyao@centos_7_6_1810 ~]$ whoami
luizyao

Authorization for new users

Usually, new users have full rights under their own user directory (/ home/luizyao /), other directories need authorization from others; and the most common one we use is root user's rights, sudo command can help us: it allows trusted users to execute commands as other users, silently. Users are recognized as root users.

New users are not on the trust list, so we can't borrow root user identity to execute commands:

[luizyao@centos_7_6_1810 /]$ sudo whoami
[sudo] password for luizyao:
luizyao is not in the sudoers file.  This incident will be reported.

In CentOS, we have two ways to add new users to the Sudoers list:

Method 1: Add a new user to the wheel user group

Based on RedHat distribution systems, such as CentOS and Fedora, user group wheel has been granted sudo privileges; therefore, we can obtain sudo privileges by adding new users to the wheel user group:

[root@centos_7_6_1810 ~]# groups luizyao
luizyao : luizyao
[root@centos_7_6_1810 ~]# usermod -aG wheel luizyao
[root@centos_7_6_1810 ~]# groups luizyao
luizyao : luizyao wheel

We add new users to the wheel user group by using the usermod command. We can use the group command to view the user group to which the user belongs.

At this point, new users can execute commands with the privilege of root:

[luizyao@centos_7_6_1810 root]$ sudo whoami
[sudo] password for luizyao:
root

Delete users from user groups. You can use the following commands:

[root@centos_7_6_1810 ~]# gpasswd -d luizyao wheel
Removing user luizyao from group wheel
[root@centos_7_6_1810 ~]# groups luizyao
luizyao : luizyao

Method 2: Add new users to sudoers list

In the / etc/sudoers file, you can configure sudo permissions for users and user groups in a more flexible way, and there are two ways to configure permissions for new users:

1. You can configure the permissions of new users directly in the / etc/sudoers file, but note that the default permissions of this file are read-only, so you need to add write permissions first, edit them, and then restore them to read-only.

   Use the visodu command to modify the / etc/sudoers file, because it will help you check for grammatical errors;

2. You can also add a special configuration file for new users in the / etc/sudoers.d directory (recommended):
   bash [root@centos_7_6_1810 ~]# echo "luizyao ALL=(ALL) NOPASSWD:ALL" | tee /etc/sudoers.d/luizyao luizyao ALL=(ALL) NOPASSWD:ALL [root@centos_7_6_1810 ~]# ll /etc/sudoers.d/luizyao -rw-r--r-- 1 root root 32 Sep 17 17:51 /etc/sudoers.d/luizyao
   The above command indicates that luizyao can execute any command (the third ALL) on any host (the first ALL) as any user (the second ALL, default to root), without requiring a password:

   [luizyao@centos_7_6_1810 root]$ sudo whoami
   root

   Note: The name of the file can be arbitrary, but usually we configure it as a user name.

New user enabled SSH key login

• Create key pairs:

  [luizyao@centos_7_6_1810 ~]$ ssh-keygen -t ecdsa  # Elliptic Curve Digital Signature Algorithms
  Generating public/private ecdsa key pair.
  Enter file in which to save the key (/home/luizyao/.ssh/id_ecdsa):  # Select the folder where the key pair is stored 
  Created directory '/home/luizyao/.ssh'.
  Enter passphrase (empty for no passphrase):  # Private key cryptography
  Enter same passphrase again:  # Confirm Private Key Password
  Your identification has been saved in /home/luizyao/.ssh/id_ecdsa.
  Your public key has been saved in /home/luizyao/.ssh/id_ecdsa.pub.
  The key fingerprint is:
  SHA256:FljQN9JFxB/C83Mv7N3rFNLCxXICRxaKzKDb+Tzsgwo luizyao@centos_7_6_1810
  The key's randomart image is:
  +---[ECDSA 256]---+
  |      .+.. B==.  |
  |      .o* = X o  |
  |     .. .* o B = |
  |      o ..  . X .|
  |     . oS    = =.|
  |       .+     = o|
  |   E    .=   . +.|
  |    .  ....   o o|
  |     ..  ..   .o.|
  +----[SHA256]-----+

• Download the private key to the local:

  Practice based on Mac OS;

  Download the private key using the scp command:

  yaomengdeMacBook-Air:~ yaomeng$ scp luizyao@<ip address>:/home/luizyao/.ssh/id_ecdsa ~/.ssh/

  At this point, we still need password login:

  yaomengdeMacBook-Air:~ yaomeng$ ssh luizyao@<ip address>
  Enter passphrase for key "/Users/yaomeng/.ssh/id_ecdsa":  # Enter Private Key Password, Logon Failure
  luizyao@www.luizyao.com password:  # luizyao's user password
  Last login: Tue Sep 17 22:50:22 2019

• SSH Secret-Free Logon

  Rename the public key to authorized_keys:

  [luizyao@centos_7_6_1810 ~]$ mv ~/.ssh/id_ecdsa.pub ~/.ssh/authorized_keys
  [luizyao@centos_7_6_1810 ~]$ ll ~/.ssh/
  total 8
  -rw-r--r-- 1 luizyao luizyao 185 Sep 17 22:58 authorized_keys
  -rw------- 1 luizyao luizyao 314 Sep 17 22:58 id_ecdsa

  Be careful:

  • Because I didn't have authorized_keys file before, I renamed it directly here; if I had authorized_keys file before, I could add the public key to the end of the file by using the following command:

    cat >> ~/.ssh/authorized_keys < ~/.ssh/id_ecdsa.pub

• Note that authorized_keys file, ~/.ssh/ directory, or user's home directory (/home/luizyao/) grants write permission to other users, so sshd judges that the file is not safe and will not use this file unless you have set StrictModes to no;

  You can view the help document through the man sshd command:

  ~/.ssh/authorized_keys
            Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging in as this user.  The format of this file is described above.  The con‐
            tent of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others.
  
            If this file, the ~/.ssh directory, or the user's home directory are writable by other users, then the file could be modified or replaced by unautho‐
            rized users.  In this case, sshd will not allow it to be used unless the StrictModes option has been set to "no".

At this point, we can use SSH secret-free login:

yaomengdeMacBook-Air:~ yaomeng$ ssh luizyao@www.luizyao.com
Enter passphrase for key "/Users/yaomeng/.ssh/id_ecdsa":  # Private key cryptography 
Last login: Wed Sep 18 00:00:41 2019 from 49.65.108.161

To enable SSH password login

Now, we can still use password login, which is still unsafe. Now let's prohibit the use of password login system.

For CentOS system, only need to modify Password Authentication in SSH configuration file / etc/ssh/sshd_config to no.

Restart SSH service:

[luizyao@centos_7_6_1810 ~]$ sudo systemctl restart sshd

We have banned SSH password login and can only use the key to login.

Other

In order to further enhance the security of the system, we can also do some things:

Prohibit root users from using SSH to log in

Simply modify PermitRootLogin in SSH configuration file / etc/ssh/sshd_config to no and restart SSH service.

Using unconventional SSH ports

The default SSH port is 22. We can modify it to an uncommon port: modify the Port value in the SSH configuration file / etc/ssh/sshd_config (for example: 10178) and restart the SSH service;

We also need to modify the configuration of sshd in the firewall. CentOS 7 uses firewalld by default. We configure it as follows:

• Copy firewalld's default configuration file about ssh to the system configuration folder:

  [luizyao@centos_7_6_1810 ~]$ sudo cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/

• Modify the port configuration in the configuration file:

  <!-- /etc/firewalld/services/ -->
  
  <?xml version="1.0" encoding="utf-8"?>
  <service>
    <short>SSH</short>
    <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
    <port protocol="tcp" port="10178"/>
  </service> 

• Overload firewalld configuration:

  [luizyao@centos_7_6_1810 ~]$ sudo firewall-cmd --reload
  success

Prohibit ping

Add the following rules to the firewall and overload the configuration:

[luizyao@centos_7_6_1810 ~]$ sudo firewall-cmd --permanent --add-icmp-block=echo-reply
[luizyao@centos_7_6_1810 ~]$ sudo firewall-cmd --permanent --add-icmp-block=echo-request
[luizyao@centos_7_6_1810 ~]$ sudo firewall-cmd --reload