sshd is the OpenSSH server process. It listens to incoming connections using the SSH protocol and acts as the server for the protocol. It handles user authentication, encryption, terminal connections, file transfers, and tunneling.
To improve your security level you must do few things.
- Create RSA key
- Copy RSA key to remote server
- Set up your server to work only with RSA/DSA key
RSA Key management
First step we create our ssh key and we set up his permission.
# It is important to comment with -c argument to identify your pubkey in authorizied_keys file when your work in server env. ssh-keygen -t rsa -b 4096 -c "YOUR@EMAIL.COM" # Fix permission for security chmod 0700 ~/.ssh chmod 0600 ~/.ssh/id_rsa chmod 0644 ~/.ssh/authorized_keys
You must use a passphrase when you generate your RSA KEY so please, don't forget it, it is VERY IMPORTANT !.
In second time we copy our public key on the remote machine.
# Copy id ssh-copy-id username@IP_SERVER -p SSH_PORT # Connection testing ssh username@IP_SERVER -p SSH_PORT
Set up openssh server
Before to modify your
/etc/ssh/sshd_config save it by typing
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old
If you fail your modification you can't access to your remote machine.
So be carefull when your work and take your time !
To activate login by key dsa/rsa you must modify your
/etc/ssh/sshd_config. We modify/add these values.
# What ports, IPs and protocols we listen for Port 65022 # Use these options to restrict which interfaces/protocols sshd will bind to IPv6 :: / IPv4 0.0.0.0 #ListenAddress :: ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no #can be declared at prohibit-password if you want allow connection with RSA/DSA key StrictModes yes # Permit Public Key & RSA authentification PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication no # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding no X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes
Save and restart
sshd.service by typing
systemctl restart sshd.service.
Try to open a new ssh connection to verify if your key works.