Differences

This shows you the differences between two versions of the page.

--- en:linux:ssh [2023/10/18 22:46] – gelöscht psycore
+++ en:linux:ssh [2024/02/05 16:49] (current) – old revision restored (2024/01/24 11:23) psycore
@@ Line 1: / Line 1: @@
+{{tag>english linux debian sshd it-security}}
+====== Backing up the sshd ======
+The pre-installed SSH daemon (sshd) is insecure in the basic configuration. To ensure greater protection, it is necessary to integrate a [[wpde>Asymmetrisches_Kryptosystem|to integrate key authentication]].
+===== Generate key pair =====
+Firstly, we create a key pair under Linux:
+<code bash>
+$ ssh-keygen -t rsa -b 4096
+Generating public/private rsa key pair.
+Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/id_rsa
+Enter passphrase (empty for no passphrase):
+Enter same passphrase again:
+Your identification has been saved in /home/user/.ssh/id_rsa.
+Your public key has been saved in /home/user/.ssh/id_rsa.pub.
+The key fingerprint is:
+:9f:6e:c2:46:62:09:2d:dc:dd:1e:79:cc:56:d9:2b root@v05-s42
+</code>
+**Be sure to enter a password, otherwise you can access the server simply by possessing the private key!**
+We rename id_rsa.pub to authorised_keys and download id_rsa locally to the computer. **It is important to delete id_rsa securely afterwards!** (If necessary, install wipe with //apt-get install wipe//)
+<code bash>$ wipe id_rsa
+Okay to WIPE 1 regular file ? (Yes/No) yes
+Operation finished.
+file wiped and 0 special files ignored in 0 directories, 0 symlinks removed but not followed, 0 errors occured.</code>
+We repeat the process with all users who should have access to the sshd.
+Set modes:
+<code bash>
+chmod 0700 .ssh
+chmod 0600 .ssh/authorized_keys
+</code>
+===== Putty Private Key =====
+Now we download [[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html|puttygen.exe]] down. We open puttygen.exe and navigate in the menu to **Conversion / Import Key**. At this point, we select the generated private key that we have downloaded to our computer. Now add a suitable comment and we can click on **save private key** button.
+We will need this key with the .ppk extension to log in to putty later. **Never upload this key to the server!**
+===== Login test =====
+Now we test whether the connection is established with the generated key. To do this, we open putty.exe and enter the host name as usual. Before we now click on **open** we switch to the left in the tree view to **Connection / SSH / Auth** and under **private key file for authentication** and enter the path to our ppk file. Now click on **open** button. If the login was successful, and without error message, we can completely deactivate the password authentication in our sshd.
+===== sshd configuration =====
+Now we edit the sshd configuration file <code text>/etc/ssh/sshd_config</code>
+<code text>
+# Hier ist es sinnvoll einen Port oberhalb von 1024 zu nehmen
+Port 22
+# Unbedingt Protokoll 2 verwenden!
+Protocol 2
+# RSAAuthentication deaktivieren
+RSAAuthentication no
+# PubkeyAuthentication aktivieren
+PubkeyAuthentication yes
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# Wollen wir nicht
+RhostsRSAAuthentication no
+HostbasedAuthentication no
+PermitEmptyPasswords no
+# Wollen wir erst recht nicht
+PasswordAuthentication no #UNBEDINGT AUSKOMMENTIEREN UND AUF NO SETZEN!!!!
+ChallengeResponseAuthentication no
+</code>
+===== Restart sshd =====
+<code bash>/etc/init.d/ssh restart</code>
+==== Hint ====
+The current SSH session is not closed. **To correct configuration errors, the current session should remain open until everything is working correctly!**