{{tag>deutsch linux debian sshd it-security}}
====== Backing up the sshd ======

The pre-installed SSH daemon (sshd) is insecure in the basic configuration. To ensure greater protection, it is necessary to integrate a [[wp>Public-key_cryptography|to integrate key authentication]].


===== 1.0 Key pair =====

==== 1.1 Create key pair ====


Firstly, we create a key pair under Linux:

<code bash>
$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519): /home/user/.ssh/id_ed25519
</code>

We are asked to enter a password. This process is important, **because only the combination of key file and password** enable server access.

<code bash>
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_ed25519.
Your public key has been saved in /home/user/.ssh/id_ed25519.pub.
The key fingerprint is:
35:9f:6e:c2:46:62:09:2d:dc:dd:1e:79:cc:56:d9:2b root@v05-s42
</code>

With ''id_ed25519.pub'' we now do the following:

  - rename it to ''authorised_keys''
  - move to the folder ''.ssh''
  - Set access authorisations

<code bash>
mv id_ed25519.pub .ssh/authorized_keys
chmod 0700 .ssh
chmod 0600 .ssh/authorized_keys
</code>

We then load ''id_ed25519'' locally on the computer.

==== 1.2 Secure deletion of the private key ====

**It is important, ''id_ed25519'' securely afterwards!** (If necessary, install wipe with //apt-get install wipe//)

<code bash>$ wipe id_ed25519
Okay to WIPE 1 regular file ? (Yes/No) yes
Operation finished.
1 file wiped and 0 special files ignored in 0 directories, 0 symlinks removed but not followed, 0 errors occured.</code>

===== 2.0 Putty Private Key =====

Now we download [[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html|puttygen.exe]] down. We open puttygen.exe and navigate in the menu to ''Conversion / Import Key''. At this point, we select the generated private key that we have downloaded to our computer. We mark ''EdDSA'' in the lower area. Now add a suitable comment and we can click on ''Save private key'' button.

Save this key with the ''.ppk'' extension for later login to putty. **Never upload this key to the server!**


===== Login test =====

Now we test whether the connection is established with the generated key. To do this, we open putty.exe and enter the host name as usual. Before we now click on ''open'' in the tree view on the left, we switch to ''Connection'' -> ''SSH'' -> ''Auth'' and enter under ''private key file for authentication'' enter the path to our ppk file. Now click on ''open'' button. If the login was successful, and without error message, we can completely deactivate the password authentication in our sshd.

===== SSHd configuration =====

Now we edit the SSHd configuration file <code bash>nano /etc/ssh/sshd_config</code>

<code text>
# choose a port above 1024
Port 22

# use protocol 2 !
Protocol 2

# deactivate RSAAuthentication
RSAAuthentication no

# activate PubkeyAuthentication
PubkeyAuthentication yes

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# unwanted options
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
</code>

===== SSHd restart =====

<code bash>/etc/init.d/ssh restart</code>

==== Hint ====

The current SSH session is not closed. **To correct configuration errors, the current session should remain open until everything is working correctly!**