Difference between revisions of "SSH Client"

Line 211: Line 211:
 
Then, save your keys!
 
Then, save your keys!
 
You should be the only one to access the save location.
 
You should be the only one to access the save location.
 
 
  
  
Line 223: Line 221:
  
  
===Protocol and password enforcement===
+
===Allow empty password===
 
 
 
 
  
 +
<syntaxhighlight lang="bash">
 +
PermitEmptyPassword yes         # allow empty password in favor of RSA keys
 +
</syntaxhighlight>
  
  
Line 237: Line 236:
  
  
Requirements – windows
 
Download the following software:
 
• PuTTY
 
• PuTTYgen
 
• Pageant
 
 
 
Windows - Generate new private / public keys pair
 
Start PuTTYgen
 
 
 
Create a 4096 bits key, DSA algorithm.
 
 
 
 
Then, click on generate
 
When the keys are OK, you have to enter a key passphrase.
 
 You passphrase must be long (> 15 characters), hard to guess, with letters + signs + numbers
 
 
 Reminder: how to choose your passphrase and protect it:
 
http://www.alcf.anl.gov/resource-guides/user-authentication-policies
 
 
Then, save your keys!
 
You should be the only one to access the save location.
 
 
 
Declare the public key on the server
 
You have to log in to your SSH server with the standard user that’s gonna use this key.
 
Go to your home directory, and create a .ssh folder (if there was none before).
 
# cd ~
 
# mkdir .ssh
 
# cd .ssh
 
# vim authorized_key2
 
 
Prefix your key with:
 
RSA: ssh-rsa
 
DSA: ssh-dss
 
Then paste the public key into the file in one line!
 
 
Copy the text as shown on the previous image.
 
 
Example:
 
ssh-rsa AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com
 
ssh-dss AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com
 
 
Adjust file rights
 
 The authorized_keys2  file must be write/readable only by that user
 
 
# chmod 600 authorized_keys2
 
# cd ..
 
# chmod 700 .ssh
 
 
Windows – configure PuTTY client
 
  
You have to configure your PuTTY SSH client with this new key.
 
  
 
Create profile
 
Create profile
Line 326: Line 271:
 
to:
 
to:
 
   
 
   
 
 
 
 
Restart SSH server:
 
#  /etc/init.d/ssh restart
 
 
OVH server: root access
 
 
OVH requires a root access for maintenance.
 
OVH uses a RSA key for authentication. You have to let the following settings:
 
SSH port : 22
 
Root login : enable
 
UsePam: yes
 
 
 
 Important
 
If this access is removed then OVH will stop your server in case of DoS.
 
More details: http://guide.ovh.com/InstallClefOVH
 
 
  
  

Revision as of 14:47, 6 June 2014

Installation

By default Debian | Ubuntu doesn't include any SSH server.

apt-get install ssh openssh-server



SSH server configuration

Edit the configuration file:

vim /etc/ssh/sshd_config


X11 forwarding

In the configuration file, uncomment and set:

ForwardAgent yes
ForwardX11 yes
ForwardX11Trusted yes


Enable | Disable the forwarding:

# This server doesn’t have a XServer. Therefore do not forward graphical data.
X11Forwarding no


Port(s) number

You can listen on multiple port. Just do the following:

Port 22
Port 2200


Security psycho mode:

# The default port SSH is 22. You may want to change that port to another one so your server will be more discreet.
# NB: if your server is hosted the provider might need access for maintenance purposes.
Port XXXXX


Restart SSH server

/etc/init.d/ssh restart



SSH server configuration - Authentication by Linux user login / password

Principle

This is the default authentication system.


Each user that has a local account on the server and member is allowed to access the SSH server with its login / password.

SSH default authentication system


Configuration changes

vim /etc/ssh/sshd_config


Protocol and password enforcement

Protocol 2			# only use SSH v2
PermitRootLogin no		# Avoid root connections
PermitEmptyPassword no	        # Forbidden user with empty passwords


Login time

# Time to log
LoginGraceTime 30


Restart SSH server

/etc/init.d/ssh restart



SSH server configuration - Authentication with RSA keys

Introduction

If you’d like to increase the authentication process you can use authentication by private/public key.

  • Generate new private / public keys on your own computer
  • Put the public key on the remote SSH server
  • Only the person with the private key can be authenticate on the server


SSH RSA authentication


For instance, this is how hosting company such as OVH can log on your system.


Security improvement: remove password authentication

When the key authentication is working you can remove the default access by login / password. Then, only people with a valid private/public key pair can log in.

That way, there is no way for brute-force attacks to be successful, so your system is more secure.


Declare the public key on the server

You have to:

  • log in to your SSH server with the user that’s gonna use this key
  • Go to user's home directory
  • Create a .ssh folder (if there was none before).
cd ~
mkdir .ssh
cd .ssh


Add the new public key to the list of allowed keys:

vim authorized_key2


Prefix your key with:

  • RSA: ssh-rsa
  • DSA: ssh-dss

Then paste the public key in one line - the public key mustn't be change or separated in 2 lines!


# Example: 
ssh-rsa AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com
ssh-dss AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com


Adjust file rights, the authorized_keys2 file must be write/readable only by that user

chmod 600 authorized_keys2
cd ..
chmod 700 .ssh


How-to generate private / public keys in Windows

You can generate private / public keys with PuttyGen = Putty key generator.


puttyGen first step


When the keys are OK, you have to enter a key pass-phrase. Your pass-phrase must be:

  • long (> 15 characters)
  • hard to guess
  • with letters + signs + numbers


Reminder

how to choose your passphrase and protect it: http://www.alcf.anl.gov/resource-guides/user-authentication-policies


PuttyGen 2nd step


Then, save your keys! You should be the only one to access the save location.


Configuration changes

vim /etc/ssh/sshd_config


Allow empty password

PermitEmptyPassword yes	        # allow empty password in favor of RSA keys


Restart SSH server

/etc/init.d/ssh restart



Create profile

Auto-login



Attach private key


Save profile Go back to the main screen Session and save your changes.


Click on “open” to initialize connection.

Login procedure

 Type your passphrase on system request


Access is granted! 

Disable standard username / password login

Edit the configuration file

  1. vim /etc/ssh/sshd_config

Adjust the line:


to:



Fail2ban

see Fail2ban#SSH_configuration




SSH client

Linux

# syntax
ssh user@server -p portNumber

# example
ssh root@daxiongmao.eu -p 4422



References

Source: http://www.howtoforge.com/ssh_key_based_logins_putty

Windows - putty software: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html