Installation of ssh server
From Erlands Wiki
This post will describe how to install ssh server, if you are installing a simple desktop you can safely ignore this post.
Contents |
Installation
To install the ssh server you simply run: sudo apt-get install openssh-server
Security overview
If you feel its safe enough with the standard security settings you can stop no and continue with installation of other services, else continue and setup the ssh server so:
- 1. Login with username/password are disabled
- 2. The user has to have a valid certificate/key to login
- 3. Only specified IP adresses are allowed to login
- 4. Only users which belong to users_ssh group are allowed to login
The following chapter will describe how to do this
Secure the installed ssh server
- 1. sudo groupadd users_ssh
- 2. sudo vi /etc/ssh/sshd_config
- 3. Make sure it contains the following, else change it:
PermitRootLogin no PasswordAuthentication no AllowGroups users_ssh
- 4. Save and exit
- 5. Create a new file /etc/pam.d/common-deny that contains the following information
# # /etc/pam.d/common-deny - always deny # auth required pam_deny.so
- 6. sudo chown root:root /etc/pam.d/common-deny
- 7. sudo chmod +x /etc/pam.d/common-deny
- 8. sudo vi /etc/pam.d/ssh
- 9. Change the line:
@include common-auth
- To
@include common-deny #@include common-auth
- 10. sudo vi hosts.deny
- 11. Make sure the following line exists, else add it:
ALL: ALL
- The above will make sure only hosts listed in hosts.allow will be able to login with ssh
- 12. Save and exit
- 13. sudo vi hosts.allow
- 14. Note! 192.168.0.0/255.255.255.0 is the local subnet, you will have to change this to match the local subnet in your own setup.
- Add the line:
sshd : 127.0.0.1,192.168.0.0/255.255.255.0
- 15. Save and exit
- 16. sudo /etc/init.d/ssh restart
Configuring a user so he/she can connect to the ssh server
- 1. mkdir ~/.ssh
- 2. Generate a new key/certificate by running: ssh-keygen -t dsa
- The key generation can also be done with Putty if you want to do it on Windows. Note that its extremly important that you never give the private key to someone else or put it where someone else could read it. Due to this it is also recommended that you specify a passphrase when requested during the key generation.
- 3. You will need the private key generated in the previous step on your client computer that should access the server. If the client is a linux machine you save the private key to ~/.ssh/identity on your client machine.
- 4. vi ~/.ssh/authorized_keys2
- 5. Add the public key to this file and then save and exit. The public key is by default stored in ~/.ssh/id_dsa.pub, it should look something like the following (with different numbers of course):
ssh-dss QJKLDAJSLKj739824hkjhald8971289e31qhssiuhy98731923yu192== mycomputer
- 6. chmod -R og-rwx ~/.ssh
- 7. sudo addgroup xxx users_ssh (Where xxx is your user name)
Verification of installation
At last I suggest that your ssh installation works as it should by trying these steps:
- 1. Try to login from a client without using a private key but give your correct username/password. If this succeed somehing is not working correctly.
- 2. Try to login from a client using the wrong private key but give your correct username/password. If this succeed somehing is not working correctly.
- 3. Try to login from a client using the correct private key but specifiying the username of a user which does not belong to the users_ssh group. If this succeed somehing is not working correctly.
- 4. Try to login from a client outside the networks specified in the hosts.allow file with correct private key. If this succeed somehing is not working correctly.
- 5. At last try to login with a user that belongs to users_ssh group from a client on the subnets specified in hosts.allow with the correct private key and username. This should succeed, it it doesn’t something is not working correctly.
