|
|
(11 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
− | =Installation=
| + | [[Category:Linux]] |
| | | |
− | By default Debian | Ubuntu doesn't include any SSH server.
| |
− | <syntaxhighlight lang="bash">
| |
− | apt-get install ssh openssh-server
| |
− | </syntaxhighlight>
| |
| | | |
| + | =SSH client= |
| | | |
| | | |
| + | ==Linux== |
| | | |
− | =SSH server configuration= | + | ===Standard login=== |
− | | |
− | | |
− | Edit the configuration file:
| |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | vim /etc/ssh/sshd_config
| + | # syntax |
− | </syntaxhighlight>
| + | ssh user@server -p portNumber |
| | | |
− | | + | # example |
− | ==X11 forwarding==
| + | ssh root@daxiongmao.eu -p 4422 |
− | | |
− | In the configuration file, uncomment and set:
| |
− | <syntaxhighlight lang="bash">
| |
− | ForwardAgent yes
| |
− | ForwardX11 yes
| |
− | ForwardX11Trusted yes
| |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
| | | |
− | '''Enable | Disable the forwarding:'''
| + | ===Using RSA key=== |
| | | |
− | <syntaxhighlight lang="bash">
| + | Key points: |
− | # This server doesn’t have a XServer. Therefore do not forward graphical data.
| + | * The key must belongs to the current user |
− | X11Forwarding no
| + | * The key rights must be "500" |
− | </syntaxhighlight>
| |
| | | |
| | | |
− | ==Port(s) number==
| + | Then you can log-in using the following command: |
− | | |
− | You can listen on multiple port. Just do the following:
| |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | Port 22
| + | ssh -i Guillaume_OpenSSH.private -p 2200 guillaume@dev.daxiongmao.eu |
− | Port 2200
| |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
| + | Where: |
| + | * '''-i''' ''myFile'' = the private key you have to use |
| + | * '''-p''' ''port'' = specific port number (if not default 22) |
| | | |
− | Security psycho mode:
| |
| | | |
− | <syntaxhighlight lang="bash">
| |
− | # The default port SSH is 22. You may want to change that port to another one so your server will be more discreet.
| |
− | # NB: if your server is hosted the provider might need access for maintenance purposes.
| |
− | Port XXXXX
| |
− | </syntaxhighlight>
| |
| | | |
− | | + | ===X11 forwarding=== |
− | | |
− | ==Restart SSH server== | |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | /etc/init.d/ssh restart
| + | ssh -X guillaume@nuc-media-center |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
| | | |
− | | + | ♦ Note that the remote computer have X11 installed and X11 applications. |
− | | |
− | =Firewall=
| |
− | | |
− | See [[Firewall#SSH]]
| |
− | | |
− | | |
− | | |
− | =SSH server configuration - Authentication by Linux user login / password=
| |
− | | |
− | ==Principle==
| |
− | | |
− | This is the default authentication system.
| |
− | | |
− | | |
− | Each user that has a '''local account on the server''' and member is allowed to access the SSH server with its login / password.
| |
− | | |
− | [[File:SSH server default auth.png|none|SSH default authentication system]]
| |
− | | |
− | | |
− | | |
− | ==Configuration changes==
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/ssh/sshd_config
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ===Protocol and password enforcement===
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | Protocol 2 # only use SSH v2
| |
− | PermitRootLogin no # Avoid root connections
| |
− | PermitEmptyPassword no # Forbidden user with empty passwords
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ===Login time===
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | # Time to log
| |
− | LoginGraceTime 30
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ==Restart SSH server==
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | /etc/init.d/ssh restart
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | | |
− | | |
− | =SSH server configuration - Authentication with RSA keys=
| |
− | | |
− | | |
− | ==Introduction==
| |
− | | |
− | If you’d like to increase the authentication process you can use authentication by private/public key.
| |
− | * Generate new private / public keys on your own computer
| |
− | * Put the public key on the remote SSH server
| |
− | * Only the person with the private key can be authenticate on the server
| |
− | | |
− | | |
− | [[File:SSH_server_RSA_keys.png|none|SSH RSA authentication]]
| |
− | | |
− | | |
− | | |
− | For instance, this is how hosting company such as OVH can log on your system.
| |
− | | |
− | | |
− | | |
− | '''Security improvement: remove password authentication'''
| |
− | | |
− | When the key authentication is working you can remove the default access by login / password.
| |
− | Then, only people with a valid private/public key pair can log in.
| |
− | | |
− | That way, there is no way for brute-force attacks to be successful, so your system is more secure.
| |
− | | |
− | | |
− | | |
− | ==Declare the public key on the server==
| |
− | | |
− | | |
− | You have to:
| |
− | * '''log in''' to your SSH server with the '''user that’s gonna use this key'''
| |
− | * Go to '''user's home''' directory
| |
− | * Create a '''.ssh''' folder (if there was none before).
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cd ~
| |
− | mkdir .ssh
| |
− | cd .ssh
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | Add the new ''public'' key to the list of allowed keys:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | vim authorized_key2
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | Prefix your key with:
| |
− | * RSA: ssh-rsa
| |
− | * DSA: ssh-dss
| |
− | | |
− | Then paste the public key in one line - the public key mustn't be change or separated in 2 lines!
| |
− | | |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | # Example:
| |
− | ssh-rsa AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com
| |
− | ssh-dss AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | Adjust file rights, the ''authorized_keys2'' file must be write/readable only by that user
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | chmod 640 authorized_keys2
| |
− | cd ..
| |
− | chmod 700 .ssh
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ==Configuration changes==
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/ssh/sshd_config
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ===Allow empty password===
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | PermitEmptyPassword yes # allow empty password in favor of RSA keys
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | ==Restart SSH server==
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | /etc/init.d/ssh restart
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | | |
− | | |
− | =SSH server - Authentication using LDAP server=
| |
− | | |
− | Requirement: [[LDAP server]]
| |
− | | |
− | | |
− | ==Principle==
| |
− | | |
− | The idea is to use a LDAP server to manage users and groups to ease the maintenance and administration.
| |
− | | |
− | * Only 1 group of users is allowed to connect
| |
− | | |
− | * Access can be dynamically and easily granted
| |
− | | |
− | | |
− | [[File:SSH_server_LDAP_user.png|none|SSH LDAP server authentication]]
| |
− | | |
− | | |
− | | |
− | ==Configuration==
| |
− | | |
− | | |
− | !! TO BE DONE !!
| |
− | | |
− | | |
− | | |
− | | |
− | | |
− | | |
− | =How-to generate private / public keys=
| |
− | | |
− | | |
− | ==Linux==
| |
− | | |
− | ===Create key===
| |
− | | |
− | 1. Log-in with the user you want to use.
| |
− | | |
− | | |
− | 2. Generate a pair of authentication keys. '''Do not enter a passphrase'''
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | # Generating public/private rsa key pair
| |
− | ssh-keygen -t rsa
| |
− | </syntaxhighlight>
| |
− | | |
− | >> Enter file in which to save the key: /home/''user''/'''.ssh'''/id_rsa
| |
− | | |
− | Log sample:
| |
− | <syntaxhighlight lang="bash">
| |
− | Created directory '/home/a/.ssh'.
| |
− | Enter passphrase (empty for no passphrase):
| |
− | Enter same passphrase again:
| |
− | Your identification has been saved in /home/a/.ssh/id_rsa.
| |
− | Your public key has been saved in /home/a/.ssh/id_rsa.pub.
| |
− | The key fingerprint is:
| |
− | 3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ===Convert OpenSSH key to Windows Putty===
| |
− | | |
− | See: http://meinit.nl/using-your-openssh-private-key-in-putty
| |
− | | |
− | | |
− | ==Windows==
| |
− | | |
− | You can generate private / public keys with '''PuttyGen''' = Putty key generator.
| |
− | | |
− | | |
− | [[File:SSH_putty_key_generator.png|none|puttyGen first step]]
| |
− | | |
− | | |
− | When the keys are OK, you have to enter a key pass-phrase. Your pass-phrase must be:
| |
− | * long (> 15 characters)
| |
− | * hard to guess
| |
− | * with letters + signs + numbers
| |
− | | |
− | | |
− | '''Reminder'''
| |
− | | |
− | how to choose your passphrase and protect it: http://www.alcf.anl.gov/resource-guides/user-authentication-policies
| |
− | | |
− | | |
− | [[File:SSH_putty_key_generator_2.png|none|PuttyGen 2nd step]]
| |
− | | |
− | | |
− | Then, save your keys!
| |
− | You should be the only one to access the save location.
| |
− | | |
− | | |
− | | |
− |
| |
− | | |
− | =Fail2ban=
| |
− | | |
− | see [[Fail2ban#SSH_configuration]]
| |
− | | |
− | | |
− | | |
− | | |
− | | |
− | =SSH client=
| |
− | | |
− | | |
− | ==Linux==
| |
− | | |
− | ===Standard login===
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | # syntax
| |
− | ssh user@server -p portNumber
| |
− | | |
− | # example
| |
− | ssh root@daxiongmao.eu -p 4422
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ===Using RSA key===
| |
− | | |
| | | |
| | | |
Line 364: |
Line 73: |
| | | |
| [[File:Putty_SSH_access_4.png|none|Putty SSH login step 4]] | | [[File:Putty_SSH_access_4.png|none|Putty SSH login step 4]] |
− |
| |
− |
| |
− |
| |
− |
| |
− |
| |
− | =References=
| |
− |
| |
− |
| |
− | Source:
| |
− | * Public / private key theory: http://en.wikipedia.org/wiki/Public_Key_Cryptography
| |
− | * http://www.howtoforge.com/ssh_key_based_logins_putty
| |
− |
| |
− |
| |
− | Windows - putty software: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
| |
− |
| |
− |
| |
− | How to transform a SSH key into Windows Putty: http://meinit.nl/using-your-openssh-private-key-in-putty
| |