The pre-installed SSH daemon (sshd) is insecure in the basic configuration. To ensure greater protection, it is necessary to integrate a to integrate key authentication.
Firstly, we create a key pair under Linux:
$ ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter file in which to save the key (/home/user/.ssh/id_ed25519): /home/user/.ssh/id_ed25519
We are asked to enter a password. This process is important, because only the combination of key file and password enable server access.
Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_ed25519. Your public key has been saved in /home/user/.ssh/id_ed25519.pub. The key fingerprint is: 35:9f:6e:c2:46:62:09:2d:dc:dd:1e:79:cc:56:d9:2b root@v05-s42
With id_ed25519.pub we now do the following:
authorised_keys.sshmv id_ed25519.pub .ssh/authorized_keys chmod 0700 .ssh chmod 0600 .ssh/authorized_keys
We then load id_ed25519 locally on the computer.
It is important, id_ed25519 securely afterwards! (If necessary, install wipe with apt-get install wipe)
$ wipe id_ed25519 Okay to WIPE 1 regular file ? (Yes/No) yes Operation finished. 1 file wiped and 0 special files ignored in 0 directories, 0 symlinks removed but not followed, 0 errors occured.
Now we download puttygen.exe down. We open puttygen.exe and navigate in the menu to Conversion / Import Key. At this point, we select the generated private key that we have downloaded to our computer. We mark EdDSA in the lower area. Now add a suitable comment and we can click on Save private key button.
Save this key with the .ppk extension for later login to putty. Never upload this key to the server!
Now we test whether the connection is established with the generated key. To do this, we open putty.exe and enter the host name as usual. Before we now click on open in the tree view on the left, we switch to Connection -> SSH -> Auth and enter under private key file for authentication enter the path to our ppk file. Now click on open button. If the login was successful, and without error message, we can completely deactivate the password authentication in our sshd.
Now we edit the SSHd configuration file
nano /etc/ssh/sshd_config
# choose a port above 1024 Port 22 # use protocol 2 ! Protocol 2 # deactivate RSAAuthentication RSAAuthentication no # activate PubkeyAuthentication PubkeyAuthentication yes # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # unwanted options RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no
/etc/init.d/ssh restart
The current SSH session is not closed. To correct configuration errors, the current session should remain open until everything is working correctly!