Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
en:linux:ssh [2023/10/18 22:41] – angelegt psycoreen:linux:ssh [2024/12/17 13:08] (current) – created psycore
Line 1: Line 1:
-====== Back up the sshd ======+{{tag>deutsch linux debian sshd it-security}} 
 +====== Backing up the sshd ======
  
-The pre-installed SSH daemon (sshd) is insecure in the basic configuration. To ensure greater protection, it is necessary to integrate a [[wpde>Asymmetrisches_Kryptosystem|key authentication]].+The pre-installed SSH daemon (sshd) is insecure in the basic configuration. To ensure greater protection, it is necessary to integrate a [[wp>Public-key_cryptography|to integrate key authentication]].
  
  
-===== Create key pair =====+===== 1.0 Key pair =====
  
-First, we create a key pair under Linux:+==== 1.1 Create key pair ==== 
 + 
 + 
 +Firstly, we create a key pair under Linux: 
 + 
 +<code bash> 
 +$ ssh-keygen -t ed25519 
 +Generating public/private ed25519 key pair. 
 +Enter file in which to save the key (/home/user/.ssh/id_ed25519): /home/user/.ssh/id_ed25519 
 +</code> 
 + 
 +We are asked to enter a password. This process is important, **because only the combination of key file and password** enable server access.
  
 <code bash> <code bash>
-$ ssh-keygen -t rsa -b 4096 
-Generating public/private rsa key pair. 
-Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/id_rsa 
 Enter passphrase (empty for no passphrase): Enter passphrase (empty for no passphrase):
 Enter same passphrase again: Enter same passphrase again:
-Your identification has been saved in /home/user/.ssh/id_rsa+Your identification has been saved in /home/user/.ssh/id_ed25519
-Your public key has been saved in /home/user/.ssh/id_rsa.pub.+Your public key has been saved in /home/user/.ssh/id_ed25519.pub.
 The key fingerprint is: The key fingerprint is:
 35:9f:6e:c2:46:62:09:2d:dc:dd:1e:79:cc:56:d9:2b root@v05-s42 35:9f:6e:c2:46:62:09:2d:dc:dd:1e:79:cc:56:d9:2b root@v05-s42
 </code> </code>
-**Be sure to enter a password, otherwise you can access the server just by possessing the private key!** 
  
-We rename id_rsa.pub to authorised_keys and download id_rsa locally to our computer. **It is important to delete id_rsa securely afterwards!** (if necessary install wipe with //apt-get install wipe//)+With ''id_ed25519.pub'' we now do the following:
  
-<code bash>$ wipe id_rsa +  - rename it to ''authorised_keys'' 
-Okay to WIPE 1 regular file ? (Yes/No) yes +  - move to the folder ''.ssh'' 
-Operation finished. +  Set access authorisations
-1 file wiped and 0 special files ignored in 0 directories, 0 symlinks removed but not followed, 0 errors occured.</code> +
- +
-We repeat the process with all users who should have access to the sshd+
- +
-Set modes:+
  
 <code bash> <code bash>
 +mv id_ed25519.pub .ssh/authorized_keys
 chmod 0700 .ssh chmod 0700 .ssh
 chmod 0600 .ssh/authorized_keys chmod 0600 .ssh/authorized_keys
 </code> </code>
  
-===== Putty Private Key =====+We then load ''id_ed25519'' locally on the computer.
  
-Now we download [[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html|puttygen.exe]] down. We open puttygen.exe and navigate in the menu to >> Conversion / Import Key <<. An dieser Stelle wählen wir den generierten private key aus, den wir uns auf unseren Computer geladen haben. Nun noch ein passendes Kommentar hinzufügen und wir können auf >> save private key << klicken.+==== 1.2 Secure deletion of the private key ====
  
-Diesen Key mit der .ppk Endung brauchen wir zum späteren Login für putty. **Diesen Key niemals auf den Server laden!**+**It is important, ''id_ed25519'' securely afterwards!** (If necessary, install wipe with //apt-get install wipe//)
  
 +<code bash>$ wipe id_ed25519
 +Okay to WIPE 1 regular file ? (Yes/No) yes
 +Operation finished.
 +1 file wiped and 0 special files ignored in 0 directories, 0 symlinks removed but not followed, 0 errors occured.</code>
  
-===== Login Test =====+===== 2.0 Putty Private Key =====
  
-Nun testen wir, ob die Verbindung mit dem erzeugten Schlüssel zustande kommtDazu öffnen wir putty.exe und tragen wie gewohnt den Hostnamen einBevor wir nun auf >> open << klicken, wechseln wir links in der Baumansicht auf >> Connection SSH / Auth << und geben unter >> private key file for authentication << den Pfad zu unserem ppk file anNun auf >> open << klicken. Wenn der Login erfolgreich war, und ohne Fehlermeldung, können wir die Passwort Autenthifizierung in unserem sshd komplett deaktivieren.+Now we download [[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html|puttygen.exe]] downWe open puttygen.exe and navigate in the menu to ''Conversion Import Key''. At this point, we select the generated private key that we have downloaded to our computerWe mark ''EdDSA'' in the lower area. Now add a suitable comment and we can click on ''Save private key'' button.
  
-===== sshd Konfiguration =====+Save this key with the ''.ppk'' extension for later login to putty. **Never upload this key to the server!**
  
-Nun bearbeiten wir die sshd Konfigurationsdatei <code text>/etc/ssh/sshd_config</code>+ 
 +===== Login test ===== 
 + 
 +Now we test whether the connection is established with the generated key. To do this, we open putty.exe and enter the host name as usual. Before we now click on ''open'' in the tree view on the left, we switch to ''Connection'' -> ''SSH'' -> ''Auth'' and enter under ''private key file for authentication'' enter the path to our ppk file. Now click on ''open'' button. If the login was successful, and without error message, we can completely deactivate the password authentication in our sshd
 + 
 +===== SSHd configuration ===== 
 + 
 +Now we edit the SSHd configuration file <code bash>nano /etc/ssh/sshd_config</code>
  
 <code text> <code text>
-Hier ist es sinnvoll einen Port oberhalb von 1024 zu nehmen+choose a port above 1024
 Port 22 Port 22
  
-Unbedingt Protokoll verwenden!+use protocol 2 !
 Protocol 2 Protocol 2
  
-# RSAAuthentication deaktivieren+deactivate RSAAuthentication
 RSAAuthentication no RSAAuthentication no
  
-# PubkeyAuthentication aktivieren+activate PubkeyAuthentication
 PubkeyAuthentication yes PubkeyAuthentication yes
  
Line 68: Line 83:
 IgnoreRhosts yes IgnoreRhosts yes
  
-Wollen wir nicht+unwanted options
 RhostsRSAAuthentication no RhostsRSAAuthentication no
 HostbasedAuthentication no HostbasedAuthentication no
 PermitEmptyPasswords no PermitEmptyPasswords no
- +PermitRootLogin no 
-# Wollen wir erst recht nicht +PasswordAuthentication no
-PasswordAuthentication no #UNBEDINGT AUSKOMMENTIEREN UND AUF NO SETZEN!!!!+
 ChallengeResponseAuthentication no ChallengeResponseAuthentication no
 </code> </code>
  
-===== Restart sshd =====+===== SSHd restart =====
  
 <code bash>/etc/init.d/ssh restart</code> <code bash>/etc/init.d/ssh restart</code>
  
-==== Note ==== +==== Hint ====
- +
-The current SSH session is not closed. **To correct configuration errors, the current session should remain open until everything is working properly!** +
- +
-===== Copyright and notes ===== +
- +
-© by [[psycore]] 2020+
  
-The author accepts no liability for any damage resulting from the use of this tutorialThis tutorial is written to the best of my knowledge and belief. The distribution of this tutorial is only allowed if the original text including copyright remains untouched.+The current SSH session is not closed**To correct configuration errors, the current session should remain open until everything is working correctly!**