Difference between revisions of "SSH Client"

 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Installation=
+
[[Category:Linux]]
  
By default Debian | Ubuntu doesn't include any SSH server.
 
<syntaxhighlight lang="bash">
 
apt-get install ssh openssh-server
 
</syntaxhighlight>
 
  
 +
=SSH client=
  
  
 +
==Linux==
  
=SSH server configuration=
+
===Standard login===
 
 
 
 
Edit the configuration file:
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /etc/ssh/sshd_config
+
# syntax
</syntaxhighlight>
+
ssh user@server -p portNumber
  
 
+
# example
==X11 forwarding==
+
ssh root@daxiongmao.eu -p 4422
 
 
In the configuration file, uncomment and set:
 
<syntaxhighlight lang="bash">
 
ForwardAgent yes
 
ForwardX11 yes
 
ForwardX11Trusted yes
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
'''Enable | Disable the forwarding:'''
+
===Using RSA key===
 
 
<syntaxhighlight lang="bash">
 
# This server doesn’t have a XServer. Therefore do not forward graphical data.
 
X11Forwarding no
 
</syntaxhighlight>
 
 
 
 
 
==Port(s) number==
 
 
 
You can listen on multiple port. Just do the following:
 
 
 
<syntaxhighlight lang="bash">
 
Port 22
 
Port 2200
 
</syntaxhighlight>
 
 
 
 
 
Security psycho mode:
 
 
 
<syntaxhighlight lang="bash">
 
# The default port SSH is 22. You may want to change that port to another one so your server will be more discreet.
 
# NB: if your server is hosted the provider might need access for maintenance purposes.
 
Port XXXXX
 
</syntaxhighlight>
 
 
 
 
 
 
 
==Restart SSH server==
 
 
 
<syntaxhighlight lang="bash">
 
/etc/init.d/ssh restart
 
</syntaxhighlight>
 
 
 
 
 
 
 
 
 
=Firewall=
 
 
 
See [[Firewall#SSH]]
 
 
 
 
 
 
 
=SSH server configuration - Authentication by Linux user login / password=
 
 
 
==Principle==
 
 
 
This is the default authentication system.
 
 
 
 
 
Each user that has a '''local account on the server''' and member is allowed to access the SSH server with its login / password.
 
 
 
[[File:SSH server default auth.png|none|SSH default authentication system]]
 
 
 
 
 
 
 
==Configuration changes==
 
  
<syntaxhighlight lang="bash">
+
Key points:
vim /etc/ssh/sshd_config
+
* The key must belongs to the current user
</syntaxhighlight>
+
* The key rights must be "500"  
  
  
===Protocol and password enforcement===
+
Then you can log-in using the following command:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
Protocol 2 # only use SSH v2
+
ssh -i Guillaume_OpenSSH.private -p 2200 guillaume@dev.daxiongmao.eu
PermitRootLogin no # Avoid root connections
 
PermitEmptyPassword no         # Forbidden user with empty passwords
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
Where:
 +
* '''-i''' ''myFile'' = the private key you have to use
 +
* '''-p''' ''port'' = specific port number (if not default 22)
  
===Login time===
 
  
<syntaxhighlight lang="bash">
 
# Time to log
 
LoginGraceTime 30
 
</syntaxhighlight>
 
  
 
+
===X11 forwarding===
==Restart SSH server==
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
/etc/init.d/ssh restart
+
ssh -X guillaume@nuc-media-center
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
 
+
♦ Note that the remote computer have X11 installed and X11 applications.  
 
 
 
 
=SSH server configuration - Authentication with RSA keys=
 
 
 
 
 
==Introduction==
 
 
 
If you’d like to increase the authentication process you can use authentication by private/public key.
 
* Generate new private / public keys on your own computer
 
* Put the public key on the remote SSH server
 
* Only the person with the private key can be authenticate on the server
 
 
 
 
 
[[File:SSH_server_RSA_keys.png|none|SSH RSA authentication]]
 
 
 
 
 
 
 
For instance, this is how hosting company such as OVH can log on your system.
 
 
 
 
 
 
 
'''Security improvement: remove password authentication'''
 
 
 
When the key authentication is working you can remove the default access by login / password.
 
Then, only people with a valid private/public key pair can log in.
 
 
 
That way, there is no way for brute-force attacks to be successful, so your system is more secure.
 
 
 
 
 
 
 
==Declare the public key on the server==
 
 
 
 
 
You have to:
 
* '''log in''' to your SSH server with the '''user that’s gonna use this key'''
 
* Go to '''user's home''' directory
 
* Create a '''.ssh''' folder (if there was none before).
 
 
 
<syntaxhighlight lang="bash">
 
cd ~
 
mkdir .ssh
 
cd .ssh
 
</syntaxhighlight>
 
 
 
 
 
Add the new ''public'' key to the list of allowed keys:
 
 
 
<syntaxhighlight lang="bash">
 
vim authorized_key2
 
</syntaxhighlight>
 
 
 
 
 
Prefix your key with:
 
* RSA: ssh-rsa
 
* DSA: ssh-dss
 
 
 
Then paste the public key in one line - the public key mustn't be change or separated in 2 lines!
 
 
 
 
 
<syntaxhighlight lang="bash">
 
# Example:
 
ssh-rsa AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com
 
ssh-dss AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com
 
</syntaxhighlight>
 
 
 
 
 
Adjust file rights, the ''authorized_keys2'' file must be write/readable only by that user
 
 
 
<syntaxhighlight lang="bash">
 
chmod 640 authorized_keys2
 
cd ..
 
chmod 700 .ssh
 
</syntaxhighlight>
 
 
 
 
 
==Configuration changes==
 
 
 
<syntaxhighlight lang="bash">
 
vim /etc/ssh/sshd_config
 
</syntaxhighlight>
 
 
 
 
 
===Allow empty password===
 
 
 
<syntaxhighlight lang="bash">
 
PermitEmptyPassword yes         # allow empty password in favor of RSA keys
 
</syntaxhighlight>
 
 
 
 
 
 
 
==Restart SSH server==
 
 
 
<syntaxhighlight lang="bash">
 
/etc/init.d/ssh restart
 
</syntaxhighlight>
 
 
 
 
 
 
 
 
 
 
 
=SSH server - Authentication using LDAP server=
 
 
 
Requirement: [[LDAP server]]
 
 
 
==Principle==
 
 
 
The idea is to use a LDAP server to manage users and groups to ease the maintenance and administration.
 
 
 
* Only 1 group of users is allowed to connect
 
 
 
* Access can be dynamically and easily granted
 
 
 
 
 
[[File:SSH_server_LDAP_user.png|none|SSH LDAP server authentication]]
 
 
 
 
 
 
 
==Configuration==
 
 
 
 
 
!! TO BE DONE !!
 
 
 
 
 
 
 
 
 
 
 
 
 
=How-to generate private / public keys=
 
 
 
 
 
==Linux==
 
 
 
1. Log-in with the user you want to use.
 
 
 
 
 
2. Generate a pair of authentication keys. '''Do not enter a passphrase'''
 
 
 
<syntaxhighlight lang="bash">
 
# Generating public/private rsa key pair
 
ssh-keygen -t rsa
 
</syntaxhighlight>
 
 
 
>> Enter file in which to save the key: /home/''user''/'''.ssh'''/id_rsa
 
 
 
Log sample:
 
<syntaxhighlight lang="bash">
 
Created directory '/home/a/.ssh'.
 
Enter passphrase (empty for no passphrase):
 
Enter same passphrase again:
 
Your identification has been saved in /home/a/.ssh/id_rsa.
 
Your public key has been saved in /home/a/.ssh/id_rsa.pub.
 
The key fingerprint is:
 
3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4
 
</syntaxhighlight>
 
 
 
 
 
 
 
 
 
==Windows==
 
 
 
You can generate private / public keys with '''PuttyGen''' = Putty key generator.
 
 
 
 
 
[[File:SSH_putty_key_generator.png|none|puttyGen first step]]
 
 
 
 
 
When the keys are OK, you have to enter a key pass-phrase. Your pass-phrase must be:
 
* long (> 15 characters)
 
* hard to guess
 
* with letters + signs + numbers
 
 
 
 
 
'''Reminder'''
 
 
 
how to choose your passphrase and protect it: http://www.alcf.anl.gov/resource-guides/user-authentication-policies
 
 
 
 
 
[[File:SSH_putty_key_generator_2.png|none|PuttyGen 2nd step]]
 
 
 
 
 
Then, save your keys!
 
You should be the only one to access the save location.
 
 
 
 
 
 
 
 
 
 
=Fail2ban=
 
 
 
see [[Fail2ban#SSH_configuration]]
 
 
 
 
 
 
 
 
 
 
 
=SSH client=
 
 
 
 
 
==Linux==
 
 
 
===Standard login===
 
 
 
<syntaxhighlight lang="bash">
 
# syntax
 
ssh user@server -p portNumber
 
 
 
# example
 
ssh root@daxiongmao.eu -p 4422
 
</syntaxhighlight>
 
 
 
 
 
===Using RSA key===
 
 
 
  
  
Line 358: Line 73:
  
 
[[File:Putty_SSH_access_4.png|none|Putty SSH login step 4]]
 
[[File:Putty_SSH_access_4.png|none|Putty SSH login step 4]]
 
 
 
 
 
=References=
 
 
 
Source:
 
* Public / private key theory: http://en.wikipedia.org/wiki/Public_Key_Cryptography
 
* http://www.howtoforge.com/ssh_key_based_logins_putty
 
 
Windows - putty software: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
 

Latest revision as of 20:10, 25 March 2015


SSH client

Linux

Standard login

# syntax
ssh user@server -p portNumber

# example
ssh root@daxiongmao.eu -p 4422


Using RSA key

Key points:

  • The key must belongs to the current user
  • The key rights must be "500"


Then you can log-in using the following command:

ssh -i Guillaume_OpenSSH.private -p 2200 guillaume@dev.daxiongmao.eu

Where:

  • -i myFile = the private key you have to use
  • -p port = specific port number (if not default 22)


X11 forwarding

ssh -X guillaume@nuc-media-center


♦ Note that the remote computer have X11 installed and X11 applications.


Windows

You have to use Putty to perform SSH login.


How to add a public / private key in Putty ?

1.Create profile

Putty SSH login step 1


2. Auto-login

Putty SSH login step 2


3. Attach private key

Putty SSH login step 3


4. Save profile

Putty SSH login step 4