This is an old revision of the document!
Back up the sshd
The pre-installed SSH daemon (sshd) is insecure in the basic configuration. To ensure greater protection, it is necessary to integrate a key authentication.
Create key pair
First, we create a key pair under Linux:
$ ssh-keygen -t rsa -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: 35:9f:6e:c2:46:62:09:2d:dc:dd:1e:79:cc:56:d9:2b root@v05-s42
Be sure to enter a password, otherwise you can access the server just by possessing the private key!
We rename id_rsa.pub to authorised_keys and download id_rsa locally to our computer. It is important to delete id_rsa securely afterwards! (if necessary install wipe with apt-get install wipe)
$ wipe id_rsa Okay to WIPE 1 regular file ? (Yes/No) yes Operation finished. 1 file wiped and 0 special files ignored in 0 directories, 0 symlinks removed but not followed, 0 errors occured.
We repeat the process with all users who should have access to the sshd.
Set modes:
chmod 0700 .ssh chmod 0600 .ssh/authorized_keys
Putty Private Key
Now we download puttygen.exe down. We open puttygen.exe and navigate in the menu to Conversion / Import Key. At this point we select the generated private key that we have downloaded to our computer. Now add a suitable comment and we can click on save private key button.
We need this key with the .ppk extension to log in later for putty. Never upload this key to the server!
Login test
Now we test whether the connection is established with the generated key. To do this, we open putty.exe and enter the host name as usual. Before we click on open we switch to the left in the tree view to Connection / SSH / Auth and enter the following under private key file for authentication enter the path to our ppk file. Now click on open button. If the login was successful, and without error messages, we can completely disable password authentication in our sshd.
sshd configuration
Now we edit the sshd configuration file
/etc/ssh/sshd_config
# Hier ist es sinnvoll einen Port oberhalb von 1024 zu nehmen Port 22 # Unbedingt Protokoll 2 verwenden! Protocol 2 # RSAAuthentication deaktivieren RSAAuthentication no # PubkeyAuthentication aktivieren PubkeyAuthentication yes # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Wollen wir nicht RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no # Wollen wir erst recht nicht PasswordAuthentication no #UNBEDINGT AUSKOMMENTIEREN UND AUF NO SETZEN!!!! ChallengeResponseAuthentication no
Restart sshd
/etc/init.d/ssh restart
Note
The current SSH session is not closed. To correct configuration errors, the current session should remain open until everything is working properly!
Copyright and notes
© by psycore 2020
The author accepts no liability for any damage resulting from the use of this tutorial. This tutorial is written to the best of my knowledge and belief. The distribution of this tutorial is only allowed if the original text including copyright remains untouched.