Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
en:linux:ssh [2023/10/18 20:46] – gelöscht psycoreen:linux:ssh [2024/02/05 15:49] – old revision restored (2024/01/24 11:23) psycore
Line 1: Line 1:
 +{{tag>english linux debian sshd it-security}}
 +====== Backing up the sshd ======
  
 +The pre-installed SSH daemon (sshd) is insecure in the basic configuration. To ensure greater protection, it is necessary to integrate a [[wpde>Asymmetrisches_Kryptosystem|to integrate key authentication]].
 +
 +
 +===== Generate key pair =====
 +
 +Firstly, we create a key pair under Linux:
 +
 +<code bash>
 +$ ssh-keygen -t rsa -b 4096
 +Generating public/private rsa key pair.
 +Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/id_rsa
 +Enter passphrase (empty for no passphrase):
 +Enter same passphrase again:
 +Your identification has been saved in /home/user/.ssh/id_rsa.
 +Your public key has been saved in /home/user/.ssh/id_rsa.pub.
 +The key fingerprint is:
 +35:9f:6e:c2:46:62:09:2d:dc:dd:1e:79:cc:56:d9:2b root@v05-s42
 +</code>
 +**Be sure to enter a password, otherwise you can access the server simply by possessing the private key!**
 +
 +We rename id_rsa.pub to authorised_keys and download id_rsa locally to the computer. **It is important to delete id_rsa securely afterwards!** (If necessary, install wipe with //apt-get install wipe//)
 +
 +<code bash>$ wipe id_rsa
 +Okay to WIPE 1 regular file ? (Yes/No) yes
 +Operation finished.
 +1 file wiped and 0 special files ignored in 0 directories, 0 symlinks removed but not followed, 0 errors occured.</code>
 +
 +We repeat the process with all users who should have access to the sshd.
 +
 +Set modes:
 +
 +<code bash>
 +chmod 0700 .ssh
 +chmod 0600 .ssh/authorized_keys
 +</code>
 +
 +===== Putty Private Key =====
 +
 +Now we download [[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html|puttygen.exe]] down. We open puttygen.exe and navigate in the menu to **Conversion / Import Key**. At this point, we select the generated private key that we have downloaded to our computer. Now add a suitable comment and we can click on **save private key** button.
 +
 +We will need this key with the .ppk extension to log in to putty later. **Never upload this key to the server!**
 +
 +
 +===== Login test =====
 +
 +Now we test whether the connection is established with the generated key. To do this, we open putty.exe and enter the host name as usual. Before we now click on **open** we switch to the left in the tree view to **Connection / SSH / Auth** and under **private key file for authentication** and enter the path to our ppk file. Now click on **open** button. If the login was successful, and without error message, we can completely deactivate the password authentication in our sshd.
 +
 +===== sshd configuration =====
 +
 +Now we edit the sshd configuration file <code text>/etc/ssh/sshd_config</code>
 +
 +<code text>
 +# Hier ist es sinnvoll einen Port oberhalb von 1024 zu nehmen
 +Port 22
 +
 +# Unbedingt Protokoll 2 verwenden!
 +Protocol 2
 +
 +# RSAAuthentication deaktivieren
 +RSAAuthentication no
 +
 +# PubkeyAuthentication aktivieren
 +PubkeyAuthentication yes
 +
 +# Don't read the user's ~/.rhosts and ~/.shosts files
 +IgnoreRhosts yes
 +
 +# Wollen wir nicht
 +RhostsRSAAuthentication no
 +HostbasedAuthentication no
 +PermitEmptyPasswords no
 +
 +# Wollen wir erst recht nicht
 +PasswordAuthentication no #UNBEDINGT AUSKOMMENTIEREN UND AUF NO SETZEN!!!!
 +ChallengeResponseAuthentication no
 +</code>
 +
 +===== Restart sshd =====
 +
 +<code bash>/etc/init.d/ssh restart</code>
 +
 +==== Hint ====
 +
 +The current SSH session is not closed. **To correct configuration errors, the current session should remain open until everything is working correctly!**