Tux Training

Related Reading:

1. Protect SSH Access With hosts files and a proper sshd_config
2. Preventing Brute Force Attacks With Fail2ban

Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. It is intended as a replacement for rlogin, rsh, and rcp.Additionally, ssh provides secure X connections and secure forwarding of arbitrary TCP connections. Ssh currently runs on UNIX or related systems, plus under OS/2. Ports have been successful to all “mainstream” UNIX systems.

SSH is either installed by default, or you can install it on your distribution from their repositories.

In Suse, it is on the DVD/CD. Make sure that’s in your drive and in turned on in your sources then zypper in ssh. In Ubuntu, to install ssh server do an apt-get install ssh.

Requirements

First, before starting, the following assumptions are made:

• You have enabled sshd on the remote server.
• You have opened the appropriate port for sshd on the remote server.
• You have configured tcp wrappers and/or other security mechanisms on the remote server.
• You are careful enough to know that you should not set up public key authentication for the root user.
• You are capable of choosing between RSA or DSA keys. (In this example I have chosen RSA.)
• Note: This is written for SuSE 9.2; other versions should be similar or identical.

Preparing the client1. If it does not exist, create the ~/.ssh directory for your user.
2. Generate the public / private key pair with the command

$ ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa

Note: When prompted for a passphrase, just hit enter, and then enter again. See the man pages for ssh-keygen for various options, if you’d like to try something different. This will generate a private and a public (.pub) key file.

Remember - If you choose not to use a password for your private key, anyone who gets access to it automatically gets access to any server you have access to. They will not need a password, they will just need to use that key (leave your computer for 2 minutes, loose your laptop, someone gets access another way etc). Easy. If you need to have no passwords (for cron etc), make sure the user is very limited, consider using a jail, or use ssh-agent.
3. As root, edit the /etc/ssh/ssh_config file in the following ways:

• Remove the comment (#) from the line

IdentityFile ~/.ssh/id_rsa

• Remove the comment (#) from the line

Protocol 2

(and while you are at it, if there is a 1 there, remove it; there should only be a 2 unless you have some strange reason to use protocol 1)

Preparing the server

1. Log in to the remote server using the normal ssh password authentication.
2. Make sure the ~/.ssh directory exists.
3. Make sure permissions on the ~/.ssh directory are 700.
4. Now from the client machine copy the .pub key you generated to ~/.ssh on the server. You can do this with something like (from the client machine):

$ scp ~/.ssh/id_rsa.pub user_name_here@server_here:~/.ssh

That will prompt you for a password to complete.
5. Now ssh to the server again, and run the following command:

$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

6. Next, as root, edit the /etc/ssh/sshd_config file in the following ways:

• If the line

Protocol 2

has a 1 as well, remove it unless you have some strange reason to use protocol 1. Also remove comment (#) if it is there.

• Edit the line

PubkeyAuthentication yes

(i.e. if it says no, change it to yes) Also remove comment (#) if it is there.

• If you want to disable password-login, make sure the file includes a line like

PasswordAuthentication no

• If you want to disable password-login for root:

PermitRootLogin without-password

• Make sure the line

AuthorizedKeysFile      .ssh/authorized_keys

is set up correctly (i.e. if it is pointing to a different keys file, then update to what is shown here). Also remove comment (#) if it is there.

• Check if you need to disable PAM authentication! Comments in sshd_config state: Depending on your PAM configuration, this may bypass the setting of PasswordAuthentication, PermitEmptyPasswords, and “PermitRootLogin without-password”

ChallengeResponseAuthentication no
UsePAM no

7. As root, restart sshd:

# rcsshd restart
(or on Ubuntu/Debian: sudo /etc/init.d/ssh restart )

That’s it. Now try logging in from your client machine - you should be logged in automatically without being prompted for a password.

Related Posts

• Howto Setup a chroot jail for ssh with Linux
• A simple SSH config file
• Creating SSH Tunnels in Linux
• How To Add a Welcome Message for SSH Users
• Protect SSH from brute force attacks
• The Ultimate SSH Security Tutorial
• Creating ssh reverse tunnel
• Basics of ssh and scp
• Preventing Brute Force Attacks With Fail2ban
• Protect SSH Access With hosts files and a proper sshd_config

Tags: keys, ssh

This entry was posted on Wednesday, March 5th, 2008 at 8:19 pm and is filed under Networking, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.