Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
en:linux:ssh [2023/10/18 22:46] – gelöscht psycoreen:linux:ssh [2024/02/05 16:49] (current) – old revision restored (2024/01/24 11:23) psycore
Line 1: Line 1:
 +{{tag>english linux debian sshd it-security}}
 +====== Backing up the sshd ======
  
 +The pre-installed SSH daemon (sshd) is insecure in the basic configuration. To ensure greater protection, it is necessary to integrate a [[wpde>Asymmetrisches_Kryptosystem|to integrate key authentication]].
 +
 +
 +===== Generate key pair =====
 +
 +Firstly, we create a key pair under Linux:
 +
 +<code bash>
 +$ ssh-keygen -t rsa -b 4096
 +Generating public/private rsa key pair.
 +Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/id_rsa
 +Enter passphrase (empty for no passphrase):
 +Enter same passphrase again:
 +Your identification has been saved in /home/user/.ssh/id_rsa.
 +Your public key has been saved in /home/user/.ssh/id_rsa.pub.
 +The key fingerprint is:
 +35:9f:6e:c2:46:62:09:2d:dc:dd:1e:79:cc:56:d9:2b root@v05-s42
 +</code>
 +**Be sure to enter a password, otherwise you can access the server simply by possessing the private key!**
 +
 +We rename id_rsa.pub to authorised_keys and download id_rsa locally to the computer. **It is important to delete id_rsa securely afterwards!** (If necessary, install wipe with //apt-get install wipe//)
 +
 +<code bash>$ wipe id_rsa
 +Okay to WIPE 1 regular file ? (Yes/No) yes
 +Operation finished.
 +1 file wiped and 0 special files ignored in 0 directories, 0 symlinks removed but not followed, 0 errors occured.</code>
 +
 +We repeat the process with all users who should have access to the sshd.
 +
 +Set modes:
 +
 +<code bash>
 +chmod 0700 .ssh
 +chmod 0600 .ssh/authorized_keys
 +</code>
 +
 +===== Putty Private Key =====
 +
 +Now we download [[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html|puttygen.exe]] down. We open puttygen.exe and navigate in the menu to **Conversion / Import Key**. At this point, we select the generated private key that we have downloaded to our computer. Now add a suitable comment and we can click on **save private key** button.
 +
 +We will need this key with the .ppk extension to log in to putty later. **Never upload this key to the server!**
 +
 +
 +===== Login test =====
 +
 +Now we test whether the connection is established with the generated key. To do this, we open putty.exe and enter the host name as usual. Before we now click on **open** we switch to the left in the tree view to **Connection / SSH / Auth** and under **private key file for authentication** and enter the path to our ppk file. Now click on **open** button. If the login was successful, and without error message, we can completely deactivate the password authentication in our sshd.
 +
 +===== sshd configuration =====
 +
 +Now we edit the sshd configuration file <code text>/etc/ssh/sshd_config</code>
 +
 +<code text>
 +# Hier ist es sinnvoll einen Port oberhalb von 1024 zu nehmen
 +Port 22
 +
 +# Unbedingt Protokoll 2 verwenden!
 +Protocol 2
 +
 +# RSAAuthentication deaktivieren
 +RSAAuthentication no
 +
 +# PubkeyAuthentication aktivieren
 +PubkeyAuthentication yes
 +
 +# Don't read the user's ~/.rhosts and ~/.shosts files
 +IgnoreRhosts yes
 +
 +# Wollen wir nicht
 +RhostsRSAAuthentication no
 +HostbasedAuthentication no
 +PermitEmptyPasswords no
 +
 +# Wollen wir erst recht nicht
 +PasswordAuthentication no #UNBEDINGT AUSKOMMENTIEREN UND AUF NO SETZEN!!!!
 +ChallengeResponseAuthentication no
 +</code>
 +
 +===== Restart sshd =====
 +
 +<code bash>/etc/init.d/ssh restart</code>
 +
 +==== Hint ====
 +
 +The current SSH session is not closed. **To correct configuration errors, the current session should remain open until everything is working correctly!**