{{tag>english linux debian sshd it-security}}
====== Backing up the sshd ======

The pre-installed SSH daemon (sshd) is insecure in the basic configuration. To ensure greater protection, it is necessary to integrate a [[wpde>Asymmetrisches_Kryptosystem|to integrate key authentication]].


===== Generate key pair =====

Firstly, we create a key pair under Linux:

<code bash>
$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
35:9f:6e:c2:46:62:09:2d:dc:dd:1e:79:cc:56:d9:2b root@v05-s42
</code>
**Be sure to enter a password, otherwise you can access the server simply by possessing the private key!**

We rename id_rsa.pub to authorised_keys and download id_rsa locally to the computer. **It is important to delete id_rsa securely afterwards!** (If necessary, install wipe with //apt-get install wipe//)

<code bash>$ wipe id_rsa
Okay to WIPE 1 regular file ? (Yes/No) yes
Operation finished.
1 file wiped and 0 special files ignored in 0 directories, 0 symlinks removed but not followed, 0 errors occured.</code>

We repeat the process with all users who should have access to the sshd.

Set modes:

<code bash>
chmod 0700 .ssh
chmod 0600 .ssh/authorized_keys
</code>

===== Putty Private Key =====

Now we download [[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html|puttygen.exe]] down. We open puttygen.exe and navigate in the menu to **Conversion / Import Key**. At this point, we select the generated private key that we have downloaded to our computer. Now add a suitable comment and we can click on **save private key** button.

We will need this key with the .ppk extension to log in to putty later. **Never upload this key to the server!**


===== Login test =====

Now we test whether the connection is established with the generated key. To do this, we open putty.exe and enter the host name as usual. Before we now click on **open** we switch to the left in the tree view to **Connection / SSH / Auth** and under **private key file for authentication** and enter the path to our ppk file. Now click on **open** button. If the login was successful, and without error message, we can completely deactivate the password authentication in our sshd.

===== sshd configuration =====

Now we edit the sshd configuration file <code text>/etc/ssh/sshd_config</code>

<code text>
# Hier ist es sinnvoll einen Port oberhalb von 1024 zu nehmen
Port 22

# Unbedingt Protokoll 2 verwenden!
Protocol 2

# RSAAuthentication deaktivieren
RSAAuthentication no

# PubkeyAuthentication aktivieren
PubkeyAuthentication yes

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# Wollen wir nicht
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no

# Wollen wir erst recht nicht
PasswordAuthentication no #UNBEDINGT AUSKOMMENTIEREN UND AUF NO SETZEN!!!!
ChallengeResponseAuthentication no
</code>

===== Restart sshd =====

<code bash>/etc/init.d/ssh restart</code>

==== Hint ====

The current SSH session is not closed. **To correct configuration errors, the current session should remain open until everything is working correctly!**