Difference between revisions of "SSH Client"

 
(23 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Installation=
+
[[Category:Linux]]
 
 
By default Debian | Ubuntu doesn't include any SSH server.
 
<syntaxhighlight lang="bash">
 
apt-get install ssh openssh-server
 
</syntaxhighlight>
 
  
  
 +
=SSH client=
  
  
=SSH server configuration [basic]=
+
==Linux==
  
 
+
===Standard login===
Edit the configuration file:
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /etc/ssh/sshd_config
+
# syntax
</syntaxhighlight>
+
ssh user@server -p portNumber
  
 
+
# example
==X11 forwarding==
+
ssh root@daxiongmao.eu -p 4422
 
 
In the configuration file, uncomment and set:
 
<syntaxhighlight lang="bash">
 
ForwardAgent yes
 
ForwardX11 yes
 
ForwardX11Trusted yes
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
'''Enable | Disable the forwarding:'''
+
===Using RSA key===
 
 
<syntaxhighlight lang="bash">
 
# This server doesn’t have a XServer. Therefore do not forward graphical data.
 
X11Forwarding no
 
</syntaxhighlight>
 
  
 +
Key points:
 +
* The key must belongs to the current user
 +
* The key rights must be "500"
  
==Port(s) number==
 
  
You can listen on multiple port. Just do the following:
+
Then you can log-in using the following command:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
Port 22
+
ssh -i Guillaume_OpenSSH.private -p 2200 guillaume@dev.daxiongmao.eu
Port 2200
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
Where:
 +
* '''-i''' ''myFile'' = the private key you have to use
 +
* '''-p''' ''port'' = specific port number (if not default 22)
  
Security psycho mode:
 
  
<syntaxhighlight lang="bash">
 
# The default port SSH is 22. You may want to change that port to another one so your server will be more discreet.
 
# NB: if your server is hosted the provider might need access for maintenance purposes.
 
Port XXXXX
 
</syntaxhighlight>
 
  
 
+
===X11 forwarding===
==Protocol and password enforcement==
 
 
 
<syntaxhighlight lang="bash">
 
Protocol 2 # only use SSH v2
 
PermitRootLogin no # Avoid root connections
 
PermitEmptyPassword no         # Forbidden user with empty passwords
 
</syntaxhighlight>
 
 
 
 
 
==Login time==
 
 
 
<syntaxhighlight lang="bash">
 
# Time to log
 
LoginGraceTime 30
 
</syntaxhighlight>
 
 
 
 
 
 
 
==Restart SSH server==
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
/etc/init.d/ssh restart
+
ssh -X guillaume@nuc-media-center
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
 +
♦ Note that the remote computer have X11 installed and X11 applications.
  
  
=SSH server configuration [Advanced]=
 
 
 
 
=Fail2ban=
 
 
see [[Fail2ban#SSH_configuration]]
 
 
 
 
Connection
 
 
Now you can perform SSH remote connections with any SSH client.
 
Linux: ssh
 
Windows: PuTTY (windows).
 
 
 Principle
 
ssh votre_adresse_ip -p numeroDePort
 
 
Security lock: Fail2ban
 
 
 
Remote clients
 
 
$ ssh user@server -p portNumber
 
 
$ ssh -X user@server -p portNumber
 
user@server ~ $ gnome-session
 
 
 
 
VNC Server (Linux desktop, ubuntu like)
 
 
installation
 
# apt-get install vino
 
# apt-get install dconf-tools
 
 
 
configuration
 
$ vino-preferences
 
$ dconf-editor
 
 
go to desktop > Gnome > Remote-access
 
 
 
* Set the alternate port number
 
* Disable background-feature (use too many bandwith)
 
* Enable server
 
* if prompt enabled, remote user must grant you access
 
* Enable encryption
 
* Enable the use of an alternative port (in order to use your own)
 
* Set the vnc password
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Execution
 
/usr/lib/vino/vino-server
 
 
 
 
 
Authentication with RSA keys
 
 
Introduction
 
 
If you’d like to increase the authentication process you can use authentication by private/public key.
 
 Generate new private / public keys on your own computer
 
 Put the public key on the remote SSH server
 
 Only the person with the private key can be authenticate on the server
 
 
 This is how hosting company can log on your system.
 
 
Then, when you’ve test it and everything is working, you can remove the default access by login / password.
 
 Using key-based SSH logins, you can disable the normal username/password login procedure which means that only people with a valid private/public key pair can log in. That way, there is no way for brute-force attacks to be successful, so your system is more secure.
 
 
Source: http://www.howtoforge.com/ssh_key_based_logins_putty
 
 
Requirements – windows
 
Download the following software:
 
• PuTTY
 
• PuTTYgen
 
• Pageant
 
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
 
 
Windows - Generate new private / public keys pair
 
Start PuTTYgen
 
 
 
Create a 4096 bits key, DSA algorithm.
 
 
 
 
Then, click on generate
 
When the keys are OK, you have to enter a key passphrase.
 
 You passphrase must be long (> 15 characters), hard to guess, with letters + signs + numbers
 
 
 Reminder: how to choose your passphrase and protect it:
 
http://www.alcf.anl.gov/resource-guides/user-authentication-policies
 
 
Then, save your keys!
 
You should be the only one to access the save location.
 
 
 
Declare the public key on the server
 
You have to log in to your SSH server with the standard user that’s gonna use this key.
 
Go to your home directory, and create a .ssh folder (if there was none before).
 
# cd ~
 
# mkdir .ssh
 
# cd .ssh
 
# vim authorized_key2
 
 
Prefix your key with:
 
RSA: ssh-rsa
 
DSA: ssh-dss
 
Then paste the public key into the file in one line!
 
 
Copy the text as shown on the previous image.
 
 
Example:
 
ssh-rsa AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com
 
ssh-dss AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com
 
 
Adjust file rights
 
 The authorized_keys2  file must be write/readable only by that user
 
 
# chmod 600 authorized_keys2
 
# cd ..
 
# chmod 700 .ssh
 
 
Windows – configure PuTTY client
 
 
You have to configure your PuTTY SSH client with this new key.
 
 
Create profile
 
 
Auto-login
 
 
 
 
 
Attach private key
 
 
 
Save profile
 
Go back to the main screen Session and save your changes.
 
 
 
Click on “open” to initialize connection.
 
  
Login procedure
+
==Windows==
  
 Type your passphrase on system request
+
You have to use Putty to perform SSH login.
 
  
Access is granted! 
 
  
Disable standard username / password login
+
'''How to add a public / private key in Putty ?'''
  
Edit the configuration file
+
1.Create profile
#  vim /etc/ssh/sshd_config
 
  
Adjust the line:
+
[[File:Putty_SSH_access_1.png|none|Putty SSH login step 1]]
 
  
to:
 
 
  
 +
2. Auto-login
  
 +
[[File:Putty_SSH_access_2.png|none|Putty SSH login step 2]]
  
  
Restart SSH server:
+
3. Attach private key
#  /etc/init.d/ssh restart
 
  
OVH server: root access
+
[[File:Putty_SSH_access_3.png|none|Putty SSH login step 3]]
  
OVH requires a root access for maintenance.
 
OVH uses a RSA key for authentication. You have to let the following settings:
 
SSH port : 22
 
Root login : enable
 
UsePam: yes
 
  
 +
4. Save profile
  
 Important
+
[[File:Putty_SSH_access_4.png|none|Putty SSH login step 4]]
If this access is removed then OVH will stop your server in case of DoS.
 
More details: http://guide.ovh.com/InstallClefOVH
 

Latest revision as of 20:10, 25 March 2015


SSH client

Linux

Standard login

# syntax
ssh user@server -p portNumber

# example
ssh root@daxiongmao.eu -p 4422


Using RSA key

Key points:

  • The key must belongs to the current user
  • The key rights must be "500"


Then you can log-in using the following command:

ssh -i Guillaume_OpenSSH.private -p 2200 guillaume@dev.daxiongmao.eu

Where:

  • -i myFile = the private key you have to use
  • -p port = specific port number (if not default 22)


X11 forwarding

ssh -X guillaume@nuc-media-center


♦ Note that the remote computer have X11 installed and X11 applications.


Windows

You have to use Putty to perform SSH login.


How to add a public / private key in Putty ?

1.Create profile

Putty SSH login step 1


2. Auto-login

Putty SSH login step 2


3. Attach private key

Putty SSH login step 3


4. Save profile

Putty SSH login step 4