Skip to content

About SSHd

sshd is the OpenSSH server process. It listens to incoming connections using the SSH protocol and acts as the server for the protocol. It handles user authentication, encryption, terminal connections, file transfers, and tunneling.

SSH security

To improve your security level you must do few things.

  • Create RSA key
  • Copy RSA key to remote server
  • Set up your server to work only with RSA/DSA key

RSA Key management

First step we create our ssh key and we set up his permission.

# It is important to comment with -c argument to identify your pubkey in authorizied_keys file when your work in server env.
ssh-keygen -t rsa -b 4096 -c "YOUR@EMAIL.COM"

# Fix permission for security
chmod 0700 ~/.ssh
chmod 0600 ~/.ssh/id_rsa
chmod 0644 ~/.ssh/authorized_keys

Warning

You must use a passphrase when you generate your RSA KEY so please, don't forget it, it is VERY IMPORTANT !.

In second time we copy our public key on the remote machine.

# Copy id
ssh-copy-id username@IP_SERVER -p SSH_PORT

# Connection testing
ssh username@IP_SERVER -p SSH_PORT

Set up openssh server

Warning

Before to modify your /etc/ssh/sshd_config save it by typing cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old

If you fail your modification you can't access to your remote machine.

So be carefull when your work and take your time !

To activate login by key dsa/rsa you must modify your /etc/ssh/sshd_config. We modify/add these values.

  • PubkeyAuthentication
  • PasswordAuthentication
  • PermitRootLogin
# What ports, IPs and protocols we listen for
Port 65022

# Use these options to restrict which interfaces/protocols sshd will bind to IPv6 :: / IPv4 0.0.0.0
#ListenAddress ::
ListenAddress 0.0.0.0
Protocol 2

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no #can be declared at prohibit-password if you want allow connection with RSA/DSA key
StrictModes yes

# Permit Public Key & RSA authentification
PubkeyAuthentication yes

#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh_known_hosts
# similar for protocol version 2
HostbasedAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Save and restart sshd.service by typing systemctl restart sshd.service.

Success

Try to open a new ssh connection to verify if your key works.