all repos — www @ bd9f9a7d8331731ab93cf143a826654a21bf1ec1

deserthorns.net content + generator

wiki/pages/ssh.html (view raw)

 1
 2
 3
 4
 5
 6
 7
 8
 9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 
{{ define "styles" }}
{{ end }}

{{ define "content" }}
<h1>SSH</h1>

<p>
    The information provided on this page assumes you are using <code>sshd</code> as the SSH server on a Linux machine.
</p>

<h2>Config</h2>

<p>
    <code>sshd</code> is configured using the <code>sshd_config</code> file, typically located in <code>/etc/ssh/</code>.
</p>

<h2>Hardening SSH access</h2>
<p>
    Generally, using private key authentication for SSH is preferred instead of password authentication. To disable password auth, add/uncomment the following line in <code>sshd_config</code>, save, and restart <code>sshd</code>:
</p>
<pre>PasswordAuthentication no</pre>
<p>
    Even with password auth disabled, it is still a good idea to disable root login over SSH: you should set up a non-root user and use that user to log in.  To disable root login over SSH, add/uncomment the following line in <code>sshd_config</code>, save, and restart <code>sshd</code>:
</p>
<pre>PermitRootLogin no</pre>

<h2>SSH key-based authentication</h2>
<p>First, generate a key on the local machine:</p>
<pre>ssh-keygen</pre>
<p>You can provide a path for the file containing the new key. It can be useful to give the file a distinct name so you are not using the same key for multiple systems. That said, it is advisable to keep the path the same (typically <code>~/.ssh/</code>), since most tools that use SSH look in that directory for keys by default.</p>
<p>You can optionally provide a passphrase. This passphrase (if provided) will need to be entered at every login.</p>
<p>Now that the key has been generated, it needs to be copied to the server. Many online guides will cover using <code>ssh-copy-id</code> to to just this. However, <code>ssh-copy-id</code> only works if password authentication is enabled on the remote machine, and password authentication should be disabled to harden SSH access against attacks.</p>
<aside>That said, you could absolutely use <code>ssh-copy-id</code> with password authentication still enabled, as long as your remote user has a strong password and you make sure to disable password authentication after key-based authentication is set up.</aside>
<p>Instead, we will need to copy the new key to the remote machine manually. This requires access to the remote machine, likely via another local machine already cofigured for SSH access.</p>
<p>Copy the newly-generated public key (contained in the <code>.pub</code> file generated when you ran <code>ssh-keygen</code>) from the local machine. Then log into the remote machine and paste the public key into the <code>~/.ssh/authorized_keys</code> file and save.</p>
<p>Now the new key can be used to SSH into the remote machine. If your key was generated using the default name of <code>id_rsa</code>, the following should work:</p>
<pre>ssh &ltUSER&gt@&ltREMOTE_HOST&gt</pre>
<p>If a different name was chosen for the key file (e.g. <code>my-server</code>), use the <code>-i</code> ("identity") flag to indicate which key file to use:</p>
<pre>ssh -i ~/.ssh/my-server &ltUSER&gt@&ltREMOTE_HOST&gt</pre>
{{ end }}

{{ define "scripts" }}
{{ end }}