Difference between revisions of "Secure Shell"

From Christoph's Personal Wiki
Jump to: navigation, search
(SSH without passwords)
Line 20: Line 20:
  
 
That's it! You are now free to log into your remote server without entering a password. This is useful for automating file transfers. However, it ''must'' be used with care. If not executed properly, it is a potential security risk.
 
That's it! You are now free to log into your remote server without entering a password. This is useful for automating file transfers. However, it ''must'' be used with care. If not executed properly, it is a potential security risk.
 +
 +
==SSH config file==
 +
''Note: See the [http://linux.die.net/man/5/ssh_config ssh_config (5) man page] for details.''
 +
 +
*Edit your SSH config file (<code>~/.ssh/config</code>) and add the following (example) lines:
 +
# contents of $HOME/.ssh/config
 +
Host dev
 +
    HostName dev.example.com
 +
    Port 22321
 +
    User bob
 +
 +
Host github
 +
    IdentityFile ~/.ssh/github.key
 +
 +
Now you can simply type:
 +
ssh dev
 +
to SSH into that <code>dev.example.com</code> remote host.
 +
 +
See: [http://nerderati.com/2011/03/simplify-your-life-with-an-ssh-config-file/ for more examples].
  
 
==Making SSH even more secure==
 
==Making SSH even more secure==

Revision as of 06:57, 6 February 2013

Secure Shell (or SSH) is a set of standards and an associated network protocol that allows establishing a secure channel between a local and a remote computer. It uses public-key cryptography to authenticate the remote computer and (optionally) to allow the remote computer to authenticate the user.

SSH without passwords

  • Step 1: Generate keys (public and private) and leave passphrase blank if you want password-less logins:
ssh-keygen -t dsa
# ~Or~
ssh-keygen -t dsa -b 2048 -f /home/bob/my-key
  • Step 2: Copy public key to remote server (Important: Only the public key!):
scp ~/.ssh/id_dsa.pub username@remote-host:.ssh/authorized_keys
# ~OR~
ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote-host
  • Step 3: Set directory/file permissions (if not already set):
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
  • Step 4: Now, SSH into your remote server (password will be required the first time):
ssh username@remote-host

That's it! You are now free to log into your remote server without entering a password. This is useful for automating file transfers. However, it must be used with care. If not executed properly, it is a potential security risk.

SSH config file

Note: See the ssh_config (5) man page for details.

  • Edit your SSH config file (~/.ssh/config) and add the following (example) lines:
# contents of $HOME/.ssh/config
Host dev
    HostName dev.example.com
    Port 22321
    User bob

Host github
    IdentityFile ~/.ssh/github.key

Now you can simply type:

ssh dev

to SSH into that dev.example.com remote host.

See: for more examples.

Making SSH even more secure

Note: All of the following settings will be implemented in your /etc/ssh/sshd_config file.

  • Disable SSH protocol 1. Make sure no lines reads Protocol 1. If so, change it to:
Protocol 2
  • Enable key-based logins (see above for how to do this):
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
  • Disable password-based logins (Only do this if you first enable key-based logins!):
PasswordAuthentication no
  • Run on ports other than 22
Port 1717  # any free port above 1024

You will then need to point to this port when SSHing into your remote machine

ssh -p 1717 remote.machine
  • Disable root logins (Very important!):
PermitRootLogin no

Disable / deny brute force attacks

The following iptables rules should deny almost all brute force attacks on your firewall's port 22 (SSH port):

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

Todo

  • Access Your Local Subversion Repository from the Road
ssh -NfL 3690:127.0.0.1:3690 USER@64.3.10.24 -p6111

Then you can access the repository via

svn://127.0.0.1/YOUR-SVN-PATH
  • Secure Web Traffic when Traveling
ssh -D 9999 -p6111 USER@64.3.10.24

then go to Firefox's Preferences->Advanced->Network->Settings->Manual proxy settings with:

SOCKS Host: 127.0.0.1  Port: 9999
No proxy for: localhost, 127.0.0.1

See also

External links