SSH Logins and Login Security

Especially for Linux (Ubuntu)

 

Go to top

Set Up SSH

Create server .ssh directory

mkdir ~/.ssh/
chmod 700 ~/.ssh

Generate keys – Windows/PuTTYGen

  1. Download PuTTYGen
  2. Generate key (SSH-2 SA/2048) – enter password and comment if desired (no password for automatic login)
  3. Save private key: filename.ppk
  4. Save public key (PuTTY format): filename
  5. Save public key (SSH format):
    1. Open Notepad
    2. Copy the public key listed under Public key for pasting into OpenSSH authorized_keys file: 
      ssh-rsa
 ...
 ...
 ...
 == Comment
    3. Save as filename.pub
  6. Copy filename.pub to server /home/user/.ssh folder using ftp/sftp/ssh

Generate keys – Linux

  1. Create key pair 
    ssh-keygen -t rsa -C "[email protected] or other comment"
  2. Save keys to /home/user/.ssh 
    Enter file in which to save the key (/home/demo/.ssh/id_rsa): /home/user/.ssh/filename
  3. Create passphrase if necessary (no passphrase if automatic login is desired)

Add keys to server

  1. Create and copy public key to server authorized_hosts file
touch ~/.ssh/authorized_keys
cat ~/.ssh/filename.pub ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

 

Go to top

Logging In

Change PuTTY/KiTTY config to user the private key

  • Connection > Data > Login details > Auto-login username: YourUserName
  • Connection > Data > Login details > Auto-login password: YourUserPassword
  • Connection > SSH > Auth > Authentication parameters > Private key file for authentication: C:\YourLocation\filename.ppk

 

Go to top

Securing SSH

Edit ssh config

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
sudo nano /etc/ssh/sshd_config

Options and recommendations

PermitRootLogin
  • Allow users to login through ssh as root
  • Default yes
  • Prefer no (must configure a user in group sudoers other than root for the server: see how at 1, 2)
  • Prefer without-password if user requires root login with key
PasswordAuthentication
  • Allow users to use passwords to log in (unnecessary if keys are present)
  • Default yes
  • Prefer no
UsePAM
  • Allow the system to override sshd configurations with specified PAM files (example: username exists in /etc/sshd/ssh.allow, so sshd allows login)
  • Default yes
  • Prefer no (for basic servers)
AllowUsers UserName
  • Allows only the listed users
  • Default none
  • Prefer YourUserName (add AllowUsers UserName to bottom of sshd config file)

Restart ssh with changes

sudo reload ssh
Go to top

Scripting

Create new user, copy keys, and lock down ssh

#!/bin/bash

username=YOUR_NAME_HERE
addgroup admin
adduser $username
usermod -a -G admin $username

mkdir -p /home/$username/.ssh/
cp ~/.ssh/authorized_keys /home/$username/.ssh/authorized_keys
chmod -R 750 /home/$username
chown -R $username:$username /home/$username/


sed -i 's/PermitRootLogin without-password/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config

echo "AllowUsers $username" >> /etc/ssh/sshd_config

service ssh restart

 

Go to top

Add keys to DigitalOcean

For future server creation

  1. Open SSH Page
  2. Click Create a New SSH Key button
  3. Enter settings
    1. Name: name of private key (your server name, client computer, account name, etc.)
    2. Public SSH Key: Copy contents of public key (from PuTTY or your filename.pub public key: cat ~/.ssh/filename.pub)
  4. Save

 

Read more: 1, 2, 3, 4, 5, 6, 7

 

Go to top
e837b10d2bf0053ecd0b470de7444e90fe76e6d010b5164694f1c9_640_internet-security