Difference between revisions of "SSH Client"

(Created page with " =Installation= By default Debian | Ubuntu doesn't include any SSH server. <syntaxhighlight lang="bash"> apt-get install ssh openssh-server </syntaxhighlight> =Configu...")
 
Line 1: Line 1:
 
 
 
 
 
=Installation=
 
=Installation=
  
Line 13: Line 9:
  
  
=Configuration=
+
=SSH server configuration [basic]=
  
  
Line 57: Line 53:
 
# NB: if your server is hosted the provider might need access for maintenance purposes.
 
# NB: if your server is hosted the provider might need access for maintenance purposes.
 
Port XXXXX
 
Port XXXXX
 +
</syntaxhighlight>
 +
 +
 +
==Protocol and password enforcement==
 +
 +
<syntaxhighlight lang="bash">
 +
Protocol 2 # only use SSH v2
 +
PermitRootLogin no # Avoid root connections
 +
PermitEmptyPassword no         # Forbidden user with empty passwords
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 67: Line 72:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
 +
 +
==Restart SSH server==
 +
 +
<syntaxhighlight lang="bash">
 +
/etc/init.d/ssh restart
 +
</syntaxhighlight>
 +
 +
 +
 +
 +
=SSH server configuration [Advanced]=
 +
 +
 +
 +
=Fail2ban=
 +
 +
see [[Fail2ban#SSH_configuration]]
  
  
  
Restart SSH server:
 
#  /etc/init.d/ssh restart
 
 
Connection
 
Connection
  
Line 81: Line 102:
 
ssh votre_adresse_ip -p numeroDePort
 
ssh votre_adresse_ip -p numeroDePort
  
Advanced security
 
To increase the security here are some options:
 
#  vim /etc/ssh/sshd_config
 
 
Protocol 2 # only use SSH v2
 
PermitRootLogin no # Avoid root connections
 
PermitEmptyPassword no # Forbidden user with empty passwords
 
 
Security lock: Fail2ban
 
Security lock: Fail2ban
 
For more security you can also ban a remote IP after 6 trials:
 
# apt-get install fail2ban
 
 
Edit the configuration file
 
# vim /etc/fail2ban/jail.conf
 
 
Adjust:
 
 
  
  

Revision as of 10:24, 6 June 2014

Installation

By default Debian | Ubuntu doesn't include any SSH server.

apt-get install ssh openssh-server



SSH server configuration [basic]

Edit the configuration file:

vim /etc/ssh/sshd_config


X11 forwarding

In the configuration file, uncomment and set:

ForwardAgent yes
ForwardX11 yes
ForwardX11Trusted yes


Enable | Disable the forwarding:

# This server doesn’t have a XServer. Therefore do not forward graphical data.
X11Forwarding no


Port(s) number

You can listen on multiple port. Just do the following:

Port 22
Port 2200


Security psycho mode:

# The default port SSH is 22. You may want to change that port to another one so your server will be more discreet.
# NB: if your server is hosted the provider might need access for maintenance purposes.
Port XXXXX


Protocol and password enforcement

Protocol 2			# only use SSH v2
PermitRootLogin no		# Avoid root connections
PermitEmptyPassword no	        # Forbidden user with empty passwords


Login time

# Time to log
LoginGraceTime 30


Restart SSH server

/etc/init.d/ssh restart



SSH server configuration [Advanced]

Fail2ban

see Fail2ban#SSH_configuration


Connection

Now you can perform SSH remote connections with any SSH client. Linux: ssh Windows: PuTTY (windows).

 Principle ssh votre_adresse_ip -p numeroDePort

Security lock: Fail2ban


Remote clients

$ ssh user@server -p portNumber

$ ssh -X user@server -p portNumber user@server ~ $ gnome-session


VNC Server (Linux desktop, ubuntu like)

installation

  1. apt-get install vino
  2. apt-get install dconf-tools


configuration $ vino-preferences $ dconf-editor

go to desktop > Gnome > Remote-access


  • Set the alternate port number
  • Disable background-feature (use too many bandwith)
  • Enable server
  • if prompt enabled, remote user must grant you access
  • Enable encryption
  • Enable the use of an alternative port (in order to use your own)
  • Set the vnc password










Execution /usr/lib/vino/vino-server



Authentication with RSA keys

Introduction

If you’d like to increase the authentication process you can use authentication by private/public key.  Generate new private / public keys on your own computer  Put the public key on the remote SSH server  Only the person with the private key can be authenticate on the server

 This is how hosting company can log on your system.

Then, when you’ve test it and everything is working, you can remove the default access by login / password.  Using key-based SSH logins, you can disable the normal username/password login procedure which means that only people with a valid private/public key pair can log in. That way, there is no way for brute-force attacks to be successful, so your system is more secure.

Source: http://www.howtoforge.com/ssh_key_based_logins_putty

Requirements – windows Download the following software: • PuTTY • PuTTYgen • Pageant http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Windows - Generate new private / public keys pair Start PuTTYgen


Create a 4096 bits key, DSA algorithm.


Then, click on generate When the keys are OK, you have to enter a key passphrase.  You passphrase must be long (> 15 characters), hard to guess, with letters + signs + numbers

 Reminder: how to choose your passphrase and protect it: http://www.alcf.anl.gov/resource-guides/user-authentication-policies

Then, save your keys! You should be the only one to access the save location.


Declare the public key on the server You have to log in to your SSH server with the standard user that’s gonna use this key. Go to your home directory, and create a .ssh folder (if there was none before).

  1. cd ~
  2. mkdir .ssh
  3. cd .ssh
  4. vim authorized_key2

Prefix your key with: RSA: ssh-rsa DSA: ssh-dss Then paste the public key into the file in one line!

Copy the text as shown on the previous image.

Example: ssh-rsa AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com ssh-dss AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com

Adjust file rights  The authorized_keys2 file must be write/readable only by that user

  1. chmod 600 authorized_keys2
  2. cd ..
  3. chmod 700 .ssh

Windows – configure PuTTY client

You have to configure your PuTTY SSH client with this new key.

Create profile

Auto-login



Attach private key


Save profile Go back to the main screen Session and save your changes.


Click on “open” to initialize connection.

Login procedure

 Type your passphrase on system request


Access is granted! 

Disable standard username / password login

Edit the configuration file

  1. vim /etc/ssh/sshd_config

Adjust the line:


to:



Restart SSH server:

  1. /etc/init.d/ssh restart

OVH server: root access

OVH requires a root access for maintenance. OVH uses a RSA key for authentication. You have to let the following settings: SSH port : 22 Root login : enable UsePam: yes


 Important If this access is removed then OVH will stop your server in case of DoS. More details: http://guide.ovh.com/InstallClefOVH