SSH Logins and Login Security

Especially for Linux (Ubuntu)


Set Up SSH

Create server .ssh directory

mkdir ~/.ssh/
chmod 700 ~/.ssh

Generate keys – Windows/PuTTYGen

  1. Download PuTTYGen
  2. Generate key (SSH-2 SA/2048) – enter password and comment if desired (no password for automatic login)
  3. Save private key: filename.ppk
  4. Save public key (PuTTY format): filename
  5. Save public key (SSH format):
    1. Open Notepad
    2. Copy the public key listed under Public key for pasting into OpenSSH authorized_keys file:
       == Comment
    3. Save as
  6. Copy to server /home/user/.ssh folder using ftp/sftp/ssh

Generate keys – Linux

  1. Create key pair
    ssh-keygen -t rsa -C "[email protected] or other comment"
  2. Save keys to /home/user/.ssh
    Enter file in which to save the key (/home/demo/.ssh/id_rsa): /home/user/.ssh/filename
  3. Create passphrase if necessary (no passphrase if automatic login is desired)

Add keys to server

  1. Create and copy public key to server authorized_hosts file
touch ~/.ssh/authorized_keys
cat ~/.ssh/ ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys


Logging In

Change PuTTY/KiTTY config to user the private key

  • Connection > Data > Login details > Auto-login username: YourUserName
  • Connection > Data > Login details > Auto-login password: YourUserPassword
  • Connection > SSH > Auth > Authentication parameters > Private key file for authentication: C:\YourLocation\filename.ppk


Securing SSH

Edit ssh config

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
sudo nano /etc/ssh/sshd_config

Options and recommendations

  • Allow users to login through ssh as root
  • Default yes
  • Prefer no (must configure a user in group sudoers other than root for the server: see how at 1, 2)
  • Prefer without-password if user requires root login with key
  • Allow users to use passwords to log in (unnecessary if keys are present)
  • Default yes
  • Prefer no
  • Allow the system to override sshd configurations with specified PAM files (example: username exists in /etc/sshd/ssh.allow, so sshd allows login)
  • Default yes
  • Prefer no (for basic servers)
AllowUsers UserName
  • Allows only the listed users
  • Default none
  • Prefer YourUserName (add AllowUsers UserName to bottom of sshd config file)

Restart ssh with changes

sudo reload ssh


Create new user, copy keys, and lock down ssh


addgroup admin
adduser $username
usermod -a -G admin $username

mkdir -p /home/$username/.ssh/
cp ~/.ssh/authorized_keys /home/$username/.ssh/authorized_keys
chmod -R 750 /home/$username
chown -R $username:$username /home/$username/

sed -i 's/PermitRootLogin without-password/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config

echo "AllowUsers $username" >> /etc/ssh/sshd_config

service ssh restart


Add keys to DigitalOcean

For future server creation

  1. Open SSH Page
  2. Click Create a New SSH Key button
  3. Enter settings
    1. Name: name of private key (your server name, client computer, account name, etc.)
    2. Public SSH Key: Copy contents of public key (from PuTTY or your public key: cat ~/.ssh/
  4. Save


Read more: 1, 2, 3, 4, 5, 6, 7