Difference between revisions of "SSH"

From wiki
m
(ssh server keys)
Line 10: Line 10:
 
=== Configure ===
 
=== Configure ===
 
{{TODO}}
 
{{TODO}}
 +
 +
 +
==== Generate server keys ====
 +
<syntaxhighlight lang="console">
 +
# cd /etc/ssh
 +
# rm ssh_host_*key*
 +
# ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ""
 +
# ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N ""
 +
</syntaxhighlight>
 +
 +
Modify file <code>/etc/ssh/sshd_config</code> and make sure that the only lines to contains ''HostKey'' are:
 +
<syntaxhighlight lang="lighttpd">
 +
HostKey /etc/ssh/ssh_host_ed25519_key
 +
HostKey /etc/ssh/ssh_host_rsa_key
 +
</syntaxhighlight>
  
 
=== Restart ===
 
=== Restart ===
Line 36: Line 51:
  
 
==== Generate user keys ====
 
==== Generate user keys ====
This needs to be run by all users. It is strongly recommended to set a password to your keys. A passwordless keyfile is as secure as a post-it on the wall with your password. If a script need unattended access to another machine, create dedicated accounts and key for that usage.<syntaxhighlight lang="console">
+
This needs to be run by all users. It is strongly recommended to set a password to your keys. A passwordless keyfile is as secure as a post-it on the wall with your password. If a script need unattended access to another machine, create dedicated accounts and key for that usage.
 +
<syntaxhighlight lang="console">
 
$ ssh-keygen -t ed25519 -o -a 100
 
$ ssh-keygen -t ed25519 -o -a 100
 
$ ssh-keygen -t rsa -b 4096 -o -a 100
 
$ ssh-keygen -t rsa -b 4096 -o -a 100
</syntaxhighlight>[[Category:Install]]
+
</syntaxhighlight>
 +
[[Category:Install]]
 
[[Category:Fail2Ban]]
 
[[Category:Fail2Ban]]

Revision as of 16:05, 6 February 2016

Warning Warning: These instructions were only tested on Debian. It will probably work for other Linux distributions, but you might need to adapt the provided instructions.
Warning Warning: This page is a work in progress and is not completed. Important informations might be missing or wrong.

Server

Install

# apt install openssh-server

Configure

TODO


Generate server keys

# cd /etc/ssh
# rm ssh_host_*key*
# ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ""
# ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N ""

Modify file /etc/ssh/sshd_config and make sure that the only lines to contains HostKey are:

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

Restart

Restarting the SSH server while connected through SSH is usually safe. However, you need to take some precautions to avoid being locked out of your server. Make sue you do that from a stable internet connection: in case your SSH server doesn't restart correctly, you don't want your active SSH connection to drop while you fix the issue.

# systemctl restart ssh

If you are connected through SSH, test that your server restarting correctly by opening a second connection

$ ssh -o "ControlMaster=yes" myserver.example.com

The -o "ControlMaster=yes" option prevents the SSH client from reusing your active connection in case you have multiplexing enabled.

Fail2ban

Fail2ban configuration for ssh is active by default in Debian. However, if you changed the listening port of your server, you must reflect that in fail2ban. To do so, create file /etc/fail2ban/jail.d/sshd.conf with the following content

[sshd]
enabled  = true
port     = 2200 ; <= Set the port here

Client

Install

# apt install openssh-client

Configure

For more information check secure secure shell from strikiba.

Generate user keys

This needs to be run by all users. It is strongly recommended to set a password to your keys. A passwordless keyfile is as secure as a post-it on the wall with your password. If a script need unattended access to another machine, create dedicated accounts and key for that usage.

$ ssh-keygen -t ed25519 -o -a 100
$ ssh-keygen -t rsa -b 4096 -o -a 100