You've loaded an old revision of the document! If you save it, you will create a new version with this data. Media Files{{tag>deutsch linux debian sshd it-security}} ====== Backing up the sshd ====== The pre-installed SSH daemon (sshd) is insecure in the basic configuration. To ensure greater protection, it is necessary to integrate a [[wpde>Asymmetrisches_Kryptosystem|to integrate key authentication]]. ===== Generate key pair ===== Firstly, we create a key pair under Linux: <code bash> $ ssh-keygen -t rsa -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: 35:9f:6e:c2:46:62:09:2d:dc:dd:1e:79:cc:56:d9:2b root@v05-s42 </code> **Be sure to enter a password, otherwise you can access the server simply by possessing the private key!** We rename id_rsa.pub to authorised_keys and download id_rsa locally to the computer. **It is important to delete id_rsa securely afterwards!** (If necessary, install wipe with //apt-get install wipe//) <code bash>$ wipe id_rsa Okay to WIPE 1 regular file ? (Yes/No) yes Operation finished. 1 file wiped and 0 special files ignored in 0 directories, 0 symlinks removed but not followed, 0 errors occured.</code> We repeat the process with all users who should have access to the sshd. Set modes: <code bash> chmod 0700 .ssh chmod 0600 .ssh/authorized_keys </code> ===== Putty Private Key ===== Now we download [[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html|puttygen.exe]] down. We open puttygen.exe and navigate in the menu to **Conversion / Import Key**. At this point, we select the generated private key that we have downloaded to our computer. Now add a suitable comment and we can click on **save private key** button. We will need this key with the .ppk extension to log in to putty later. **Never upload this key to the server!** ===== Login test ===== Now we test whether the connection is established with the generated key. To do this, we open putty.exe and enter the host name as usual. Before we now click on **open** we switch to the left in the tree view to **Connection / SSH / Auth** and under **private key file for authentication** and enter the path to our ppk file. Now click on **open** button. If the login was successful, and without error message, we can completely deactivate the password authentication in our sshd. ===== sshd configuration ===== Now we edit the sshd configuration file <code text>/etc/ssh/sshd_config</code> <code text> # Hier ist es sinnvoll einen Port oberhalb von 1024 zu nehmen Port 22 # Unbedingt Protokoll 2 verwenden! Protocol 2 # RSAAuthentication deaktivieren RSAAuthentication no # PubkeyAuthentication aktivieren PubkeyAuthentication yes # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Wollen wir nicht RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no # Wollen wir erst recht nicht PasswordAuthentication no #UNBEDINGT AUSKOMMENTIEREN UND AUF NO SETZEN!!!! ChallengeResponseAuthentication no </code> ===== Restart sshd ===== <code bash>/etc/init.d/ssh restart</code> ==== Hint ==== The current SSH session is not closed. **To correct configuration errors, the current session should remain open until everything is working correctly!**Please solve the following equation to prove you're human. 223 +15 = Please keep this field empty: SavePreviewCancel Edit summary Note: By editing this page you agree to license your content under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International