|
|
| (24 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| | + | [[Category:Linux]] |
| | | | |
| | | | |
| | + | =SSH client= |
| | | | |
| | | | |
| − | =Installation= | + | ==Linux== |
| − | | |
| − | By default Debian | Ubuntu doesn't include any SSH server.
| |
| − | <syntaxhighlight lang="bash">
| |
| − | apt-get install ssh openssh-server
| |
| − | </syntaxhighlight>
| |
| − | | |
| | | | |
| − | | + | ===Standard login=== |
| − | | |
| − | =Configuration= | |
| − | | |
| − | | |
| − | Edit the configuration file:
| |
| | | | |
| | <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
| − | vim /etc/ssh/sshd_config
| + | # syntax |
| − | </syntaxhighlight>
| + | ssh user@server -p portNumber |
| − | | |
| − | | |
| − | ==X11 forwarding==
| |
| | | | |
| − | In the configuration file, uncomment and set:
| + | # example |
| − | <syntaxhighlight lang="bash">
| + | ssh root@daxiongmao.eu -p 4422 |
| − | ForwardAgent yes
| |
| − | ForwardX11 yes
| |
| − | ForwardX11Trusted yes
| |
| | </syntaxhighlight> | | </syntaxhighlight> |
| | | | |
| | | | |
| − | '''Enable | Disable the forwarding:'''
| + | ===Using RSA key=== |
| − | | |
| − | <syntaxhighlight lang="bash">
| |
| − | # This server doesn’t have a XServer. Therefore do not forward graphical data.
| |
| − | X11Forwarding no
| |
| − | </syntaxhighlight>
| |
| | | | |
| | + | Key points: |
| | + | * The key must belongs to the current user |
| | + | * The key rights must be "500" |
| | | | |
| − | ==Port(s) number==
| |
| | | | |
| − | You can listen on multiple port. Just do the following:
| + | Then you can log-in using the following command: |
| | | | |
| | <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
| − | Port 22
| + | ssh -i Guillaume_OpenSSH.private -p 2200 guillaume@dev.daxiongmao.eu |
| − | Port 2200
| |
| | </syntaxhighlight> | | </syntaxhighlight> |
| | | | |
| | + | Where: |
| | + | * '''-i''' ''myFile'' = the private key you have to use |
| | + | * '''-p''' ''port'' = specific port number (if not default 22) |
| | | | |
| − | Security psycho mode:
| |
| | | | |
| − | <syntaxhighlight lang="bash">
| |
| − | # The default port SSH is 22. You may want to change that port to another one so your server will be more discreet.
| |
| − | # NB: if your server is hosted the provider might need access for maintenance purposes.
| |
| − | Port XXXXX
| |
| − | </syntaxhighlight>
| |
| | | | |
| − | | + | ===X11 forwarding=== |
| − | ==Login time== | |
| | | | |
| | <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
| − | # Time to log
| + | ssh -X guillaume@nuc-media-center |
| − | LoginGraceTime 30
| |
| | </syntaxhighlight> | | </syntaxhighlight> |
| | | | |
| | | | |
| | + | ♦ Note that the remote computer have X11 installed and X11 applications. |
| | | | |
| | | | |
| − | Restart SSH server:
| |
| − | # /etc/init.d/ssh restart
| |
| − | Connection
| |
| − |
| |
| − | Now you can perform SSH remote connections with any SSH client.
| |
| − | Linux: ssh
| |
| − | Windows: PuTTY (windows).
| |
| − |
| |
| − | Principle
| |
| − | ssh votre_adresse_ip -p numeroDePort
| |
| − |
| |
| − | Advanced security
| |
| − | To increase the security here are some options:
| |
| − | # vim /etc/ssh/sshd_config
| |
| − |
| |
| − | Protocol 2 # only use SSH v2
| |
| − | PermitRootLogin no # Avoid root connections
| |
| − | PermitEmptyPassword no # Forbidden user with empty passwords
| |
| − | Security lock: Fail2ban
| |
| − |
| |
| − | For more security you can also ban a remote IP after 6 trials:
| |
| − | # apt-get install fail2ban
| |
| − |
| |
| − | Edit the configuration file
| |
| − | # vim /etc/fail2ban/jail.conf
| |
| − |
| |
| − | Adjust:
| |
| − |
| |
| − |
| |
| − |
| |
| − | Remote clients
| |
| − |
| |
| − | $ ssh user@server -p portNumber
| |
| − |
| |
| − | $ ssh -X user@server -p portNumber
| |
| − | user@server ~ $ gnome-session
| |
| − |
| |
| − |
| |
| − |
| |
| − | VNC Server (Linux desktop, ubuntu like)
| |
| − |
| |
| − | installation
| |
| − | # apt-get install vino
| |
| − | # apt-get install dconf-tools
| |
| − |
| |
| − |
| |
| − | configuration
| |
| − | $ vino-preferences
| |
| − | $ dconf-editor
| |
| − |
| |
| − | go to desktop > Gnome > Remote-access
| |
| − |
| |
| − |
| |
| − | * Set the alternate port number
| |
| − | * Disable background-feature (use too many bandwith)
| |
| − | * Enable server
| |
| − | * if prompt enabled, remote user must grant you access
| |
| − | * Enable encryption
| |
| − | * Enable the use of an alternative port (in order to use your own)
| |
| − | * Set the vnc password
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − | Execution
| |
| − | /usr/lib/vino/vino-server
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − | Authentication with RSA keys
| |
| − |
| |
| − | Introduction
| |
| − |
| |
| − | If you’d like to increase the authentication process you can use authentication by private/public key.
| |
| − | Generate new private / public keys on your own computer
| |
| − | Put the public key on the remote SSH server
| |
| − | Only the person with the private key can be authenticate on the server
| |
| − |
| |
| − | This is how hosting company can log on your system.
| |
| − |
| |
| − | Then, when you’ve test it and everything is working, you can remove the default access by login / password.
| |
| − | Using key-based SSH logins, you can disable the normal username/password login procedure which means that only people with a valid private/public key pair can log in. That way, there is no way for brute-force attacks to be successful, so your system is more secure.
| |
| − |
| |
| − | Source: http://www.howtoforge.com/ssh_key_based_logins_putty
| |
| − |
| |
| − | Requirements – windows
| |
| − | Download the following software:
| |
| − | • PuTTY
| |
| − | • PuTTYgen
| |
| − | • Pageant
| |
| − | http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
| |
| − |
| |
| − | Windows - Generate new private / public keys pair
| |
| − | Start PuTTYgen
| |
| − |
| |
| − |
| |
| − | Create a 4096 bits key, DSA algorithm.
| |
| − |
| |
| − |
| |
| − |
| |
| − | Then, click on generate
| |
| − | When the keys are OK, you have to enter a key passphrase.
| |
| − | You passphrase must be long (> 15 characters), hard to guess, with letters + signs + numbers
| |
| − |
| |
| − | Reminder: how to choose your passphrase and protect it:
| |
| − | http://www.alcf.anl.gov/resource-guides/user-authentication-policies
| |
| − |
| |
| − | Then, save your keys!
| |
| − | You should be the only one to access the save location.
| |
| − |
| |
| − |
| |
| − | Declare the public key on the server
| |
| − | You have to log in to your SSH server with the standard user that’s gonna use this key.
| |
| − | Go to your home directory, and create a .ssh folder (if there was none before).
| |
| − | # cd ~
| |
| − | # mkdir .ssh
| |
| − | # cd .ssh
| |
| − | # vim authorized_key2
| |
| − |
| |
| − | Prefix your key with:
| |
| − | RSA: ssh-rsa
| |
| − | DSA: ssh-dss
| |
| − | Then paste the public key into the file in one line!
| |
| − |
| |
| − | Copy the text as shown on the previous image.
| |
| − |
| |
| − | Example:
| |
| − | ssh-rsa AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com
| |
| − | ssh-dss AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com
| |
| − |
| |
| − | Adjust file rights
| |
| − | The authorized_keys2 file must be write/readable only by that user
| |
| − |
| |
| − | # chmod 600 authorized_keys2
| |
| − | # cd ..
| |
| − | # chmod 700 .ssh
| |
| − |
| |
| − | Windows – configure PuTTY client
| |
| − |
| |
| − | You have to configure your PuTTY SSH client with this new key.
| |
| − |
| |
| − | Create profile
| |
| − |
| |
| − | Auto-login
| |
| − |
| |
| − |
| |
| − |
| |
| − |
| |
| − | Attach private key
| |
| − |
| |
| − |
| |
| − | Save profile
| |
| − | Go back to the main screen Session and save your changes.
| |
| − |
| |
| − |
| |
| − | Click on “open” to initialize connection.
| |
| | | | |
| − | Login procedure
| + | ==Windows== |
| | | | |
| − | Type your passphrase on system request
| + | You have to use Putty to perform SSH login. |
| − |
| |
| | | | |
| − | Access is granted!
| |
| | | | |
| − | Disable standard username / password login
| + | '''How to add a public / private key in Putty ?''' |
| | | | |
| − | Edit the configuration file
| + | 1.Create profile |
| − | # vim /etc/ssh/sshd_config
| |
| | | | |
| − | Adjust the line:
| + | [[File:Putty_SSH_access_1.png|none|Putty SSH login step 1]] |
| − |
| |
| | | | |
| − | to:
| |
| − |
| |
| | | | |
| | + | 2. Auto-login |
| | | | |
| | + | [[File:Putty_SSH_access_2.png|none|Putty SSH login step 2]] |
| | | | |
| | | | |
| − | Restart SSH server:
| + | 3. Attach private key |
| − | # /etc/init.d/ssh restart
| |
| | | | |
| − | OVH server: root access
| + | [[File:Putty_SSH_access_3.png|none|Putty SSH login step 3]] |
| | | | |
| − | OVH requires a root access for maintenance.
| |
| − | OVH uses a RSA key for authentication. You have to let the following settings:
| |
| − | SSH port : 22
| |
| − | Root login : enable
| |
| − | UsePam: yes
| |
| | | | |
| | + | 4. Save profile |
| | | | |
| − | Important
| + | [[File:Putty_SSH_access_4.png|none|Putty SSH login step 4]] |
| − | If this access is removed then OVH will stop your server in case of DoS.
| |
| − | More details: http://guide.ovh.com/InstallClefOVH
| |
