|
|
(3 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
− | =Installation=
| + | [[Category:Linux]] |
− | | |
− | By default Debian | Ubuntu doesn't include any SSH server.
| |
− | <syntaxhighlight lang="bash">
| |
− | apt-get install ssh openssh-server
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | | |
− | =SSH server configuration=
| |
− | | |
− | | |
− | Edit the configuration file:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/ssh/sshd_config
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ==X11 forwarding==
| |
− | | |
− | In the configuration file, uncomment and set:
| |
− | <syntaxhighlight lang="bash">
| |
− | ForwardAgent yes
| |
− | ForwardX11 yes
| |
− | ForwardX11Trusted yes
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | '''Enable | Disable the forwarding:'''
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | # This server doesn’t have a XServer. Therefore do not forward graphical data.
| |
− | X11Forwarding no
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ==Port(s) number==
| |
− | | |
− | You can listen on multiple port. Just do the following:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | Port 22
| |
− | Port 2200
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | Security psycho mode:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | # The default port SSH is 22. You may want to change that port to another one so your server will be more discreet.
| |
− | # NB: if your server is hosted the provider might need access for maintenance purposes.
| |
− | Port XXXXX
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | ==Banner==
| |
− | | |
− | Source: https://help.ubuntu.com/community/StricterDefaults#SSH_Welcome_Banner
| |
− | | |
− | > To enable login messages uncomment the following line in "/etc/ssh/sshd_config"
| |
− | | |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | Banner /etc/issue.net
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | Then, create / update the "/etc/issue.net" file:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/issue.net
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | The following example is taken from the Advanced OpenSSH page:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | ***************************************************************************
| |
− | NOTICE TO USERS
| |
− | | |
− | | |
− | This computer system is the private property of its owner, whether
| |
− | individual, corporate or government. It is for authorized use only.
| |
− | Users (authorized or unauthorized) have no explicit or implicit
| |
− | expectation of privacy.
| |
− | | |
− | Any or all uses of this system and all files on this system may be
| |
− | intercepted, monitored, recorded, copied, audited, inspected, and
| |
− | disclosed to your employer, to authorized site, government, and law
| |
− | enforcement personnel, as well as authorized officials of government
| |
− | agencies, both domestic and foreign.
| |
− | | |
− | By using this system, the user consents to such interception, monitoring,
| |
− | recording, copying, auditing, inspection, and disclosure at the
| |
− | discretion of such personnel or officials. Unauthorized or improper use
| |
− | of this system may result in civil and criminal penalties and
| |
− | administrative or disciplinary action, as appropriate. By continuing to
| |
− | use this system you indicate your awareness of and consent to these terms
| |
− | and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
| |
− | conditions stated in this warning.
| |
− | | |
− | ****************************************************************************
| |
− | </syntaxhighlight>
| |
− | | |
− | Once this is in place, restart sshd and all users will see this warning before they get the login prompt. This will obviously not dissuade automated SSH attacks, and will potentially worsen DoS effects, but it may tip off a human attacker that the system is being looked after closely, and that they should move on to some other system on the network
| |
− | | |
− | | |
− | ==Restart SSH server==
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | /etc/init.d/ssh restart
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | | |
− | =Security=
| |
− | | |
− | | |
− | ==Firewall==
| |
− | | |
− | See [[Firewall#SSH]]
| |
− | | |
− | | |
− | ==Fail2ban==
| |
− | | |
− | see [[Fail2ban#SSH_configuration]]
| |
− | | |
− | | |
− | | |
− | | |
− | | |
− | =SSH server configuration - Authentication by Linux user login / password=
| |
− | | |
− | ==Principle==
| |
− | | |
− | This is the default authentication system.
| |
− | | |
− | | |
− | Each user that has a '''local account on the server''' and member is allowed to access the SSH server with its login / password.
| |
− | | |
− | [[File:SSH server default auth.png|none|SSH default authentication system]]
| |
− | | |
− | | |
− | | |
− | ==Configuration changes==
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/ssh/sshd_config
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ===Protocol and password enforcement===
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | Protocol 2 # only use SSH v2
| |
− | PermitRootLogin no # Avoid root connections
| |
− | PermitEmptyPassword no # Forbidden user with empty passwords
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ===Login time===
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | # Time to log
| |
− | LoginGraceTime 30
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ==Restart SSH server==
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | /etc/init.d/ssh restart
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | | |
− | | |
− | =SSH server configuration - Authentication with RSA keys=
| |
− | | |
− | | |
− | ==Introduction==
| |
− | | |
− | If you’d like to increase the authentication process you can use authentication by private/public key.
| |
− | * Generate new private / public keys on your own computer
| |
− | * Put the public key on the remote SSH server
| |
− | * Only the person with the private key can be authenticate on the server
| |
− | | |
− | | |
− | [[File:SSH_server_RSA_keys.png|none|SSH RSA authentication]]
| |
− | | |
− | | |
− | | |
− | For instance, this is how hosting company such as OVH can log on your system.
| |
− | | |
− | | |
− | | |
− | '''Security improvement: remove password authentication'''
| |
− | | |
− | When the key authentication is working you can remove the default access by login / password.
| |
− | Then, only people with a valid private/public key pair can log in.
| |
− | | |
− | That way, there is no way for brute-force attacks to be successful, so your system is more secure.
| |
− | | |
− | | |
− | | |
− | ==Declare the public key on the server==
| |
− | | |
− | | |
− | You have to:
| |
− | * '''log in''' to your SSH server with the '''user that’s gonna use this key'''
| |
− | * Go to '''user's home''' directory
| |
− | * Create a '''.ssh''' folder (if there was none before).
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cd ~
| |
− | mkdir .ssh
| |
− | cd .ssh
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | Add the new ''public'' key to the list of allowed keys:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | vim authorized_key
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | Prefix your key with:
| |
− | * RSA: ssh-rsa
| |
− | * DSA: ssh-dss
| |
− | | |
− | Then paste the public key in one line - the public key mustn't be change or separated in 2 lines!
| |
− | | |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | # Example:
| |
− | ssh-rsa AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com
| |
− | ssh-dss AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | Adjust file rights, the ''authorized_keys'' file must be write/readable only by that user
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | chmod 640 authorized_keys
| |
− | cd ..
| |
− | chmod 700 .ssh
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ==Configuration changes==
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/ssh/sshd_config
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ===Allow empty password===
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | PermitEmptyPassword yes # allow empty password in favor of RSA keys
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | ===Do not allow password authentication===
| |
− | | |
− | Once you've checked that the key authentication is working you can disable the standard authentication with password. :) With that option enabled all brute-force attacks will failed.
| |
− | | |
− | '''!!BE CAREFUL !!'''
| |
− | | |
− | Once that setting is enable there is no rolling back from it. You might get kicked for good from your own server.
| |
− | | |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | PermitEmptyPassword yes # That must be set to YES
| |
− | PasswordAuthentication no # Do not allow standard login + password anymore. Only key authentication is allowed.
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | ==Restart SSH server==
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | /etc/init.d/ssh restart
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | | |
− | | |
− | =SSH server - Authentication using LDAP server=
| |
− | | |
− | Requirement: [[LDAP server]]
| |
− | | |
− | | |
− | ==Principle==
| |
− | | |
− | The idea is to use a LDAP server to manage users and groups to ease the maintenance and administration.
| |
− | | |
− | * Only 1 group of users is allowed to connect
| |
− | | |
− | * Access can be dynamically and easily granted
| |
− | | |
− | | |
− | [[File:SSH_server_LDAP_user.png|none|SSH LDAP server authentication]]
| |
− | | |
− | | |
− | | |
− | ==Configuration==
| |
| | | |
− |
| |
− | !! TO BE DONE !!
| |
− |
| |
− |
| |
− |
| |
− |
| |
− |
| |
− |
| |
− | =How-to generate private / public keys=
| |
− |
| |
− |
| |
− | ==Linux==
| |
− |
| |
− | ===Create key===
| |
− |
| |
− | 1. Log-in with the user you want to use.
| |
− |
| |
− |
| |
− | 2. Generate a pair of authentication keys.
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | # Generating public/private rsa key pair
| |
− | ssh-keygen -t rsa
| |
− | </syntaxhighlight>
| |
− |
| |
− | >> Enter file in which to save the key: /home/''user''/'''.ssh'''/id_rsa
| |
− |
| |
− | Log sample:
| |
− | <syntaxhighlight lang="bash">
| |
− | Created directory '/home/a/.ssh'.
| |
− | Enter passphrase (empty for no passphrase):
| |
− | Enter same passphrase again:
| |
− | Your identification has been saved in /home/a/.ssh/id_rsa.
| |
− | Your public key has been saved in /home/a/.ssh/id_rsa.pub.
| |
− | The key fingerprint is:
| |
− | 3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | '''Summary'''
| |
− |
| |
− | * id_rsa == private key
| |
− | * id_rsa.pub == public key
| |
− |
| |
− |
| |
− | ===Convert OpenSSH key to Windows Putty===
| |
− |
| |
− | See: http://meinit.nl/using-your-openssh-private-key-in-putty
| |
− |
| |
− |
| |
− | ==Windows==
| |
− |
| |
− | You can generate private / public keys with '''PuttyGen''' = Putty key generator.
| |
− |
| |
− |
| |
− | [[File:SSH_putty_key_generator.png|none|puttyGen first step]]
| |
− |
| |
− |
| |
− | When the keys are OK, you have to enter a key pass-phrase. Your pass-phrase must be:
| |
− | * long (> 15 characters)
| |
− | * hard to guess
| |
− | * with letters + signs + numbers
| |
− |
| |
− |
| |
− | '''Reminder'''
| |
− |
| |
− | how to choose your passphrase and protect it: http://www.alcf.anl.gov/resource-guides/user-authentication-policies
| |
− |
| |
− |
| |
− | [[File:SSH_putty_key_generator_2.png|none|PuttyGen 2nd step]]
| |
− |
| |
− |
| |
− | Then, save your keys!
| |
− | You should be the only one to access the save location.
| |
− |
| |
− |
| |
− |
| |
− |
| |
| | | |
| =SSH client= | | =SSH client= |
Line 427: |
Line 34: |
| * '''-i''' ''myFile'' = the private key you have to use | | * '''-i''' ''myFile'' = the private key you have to use |
| * '''-p''' ''port'' = specific port number (if not default 22) | | * '''-p''' ''port'' = specific port number (if not default 22) |
| + | |
| + | |
| + | |
| + | ===X11 forwarding=== |
| + | |
| + | <syntaxhighlight lang="bash"> |
| + | ssh -X guillaume@nuc-media-center |
| + | </syntaxhighlight> |
| + | |
| + | |
| + | ♦ Note that the remote computer have X11 installed and X11 applications. |
| | | |
| | | |
Line 455: |
Line 73: |
| | | |
| [[File:Putty_SSH_access_4.png|none|Putty SSH login step 4]] | | [[File:Putty_SSH_access_4.png|none|Putty SSH login step 4]] |
− |
| |
− |
| |
− |
| |
− |
| |
− |
| |
− | =References=
| |
− |
| |
− |
| |
− | Source:
| |
− | * Public / private key theory: http://en.wikipedia.org/wiki/Public_Key_Cryptography
| |
− | * http://www.howtoforge.com/ssh_key_based_logins_putty
| |
− |
| |
− |
| |
− | Windows - putty software: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
| |
− |
| |
− |
| |
− | How to transform a SSH key into Windows Putty: http://meinit.nl/using-your-openssh-private-key-in-putty
| |