Install and configure SSH server with key-based authentication
Installation
Update repositories and install.
sudo apt update
sudo apt install -y openssh-server
Check, enable and restart.
sudo systemctl status sshd
sudo systemctl enable sshd
sudo systemctl restart sshd
Check the connection on the client side.
ssh user@IP
Basic configuration
It is not unreasonable to keep an eye on the situation.
journalctl -u ssh.service -f
Back up the configuration file.
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
Note: you can use the
/etc/ssh/sshd_config.d/directory to create a configuration file that overrides the default configuration file.
/etc/ssh/sshd_config
# Don't use port numbers 22 and 2222
Port 17133
# There are several values:
# inet (IPv4 only), inet6 (IPv6 only), any (IPv4 and IPv6)
AddressFamily inet
PermitEmptyPasswords no
PermitRootLogin no
# The default is SSH1 (Protocol 1), but it depends on the version
# To check, do the following:
# ssh -1 user@IP
# ssh -2 user@IP
Protocol 2
# The SSH session will be terminated if no activity is logged after 5 minutes
ClientAliveInterval 5m
# Restrict access to specific users and/or groups
AllowUsers bob alice
AllowGroups devops
# Limit the number of SSH login attempts so that the connection is dropped after several failed attempts
MaxAuthTries 3
# Prevent port forwarding
AllowTcpForwarding no
AllowStreamLocalForwarding no
GatewayPorts no
PermitTunnel no
X11Forwarding no
Banner /etc/issue.net
Banner warning message
Warning banners provide a first line of defense and establish beyond a doubt that a hacker does not have authorization to connect. Seek the advice of legal counsel to ensure that the warning banner meets local requirements.
/etc/issue.net- use this file to display the warning message before login/etc/motd- use this file to display the warning message after login
Create a warning message via cowsay tool:
echo -e "youre-warning-message" | cowsay | sudo tee /etc/issue.net
Output.
_________________________________________
/ ALERT! You are entering a secured area! \
| Your IP, Login Time, and Username have |
| been noted and have been sent to the |
| server administrator! This service is |
| restricted to authorized users only. |
| All activities on this system are |
| logged. Unauthorized access will be |
| fully investigated and reported to the |
\ appropriate law enforcement agencies. /
-----------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
If necessary, you can add the same message to the /etc/motd file.
SSH Key Pair
Create SSH key pair (client side)
ssh-keygen -t rsa -b 4096 -f ~/.ssh/nerd_rsa -C "add comment here" -V +52w
Note: always use a strong passphrase.
Copy public key to the server (client side)
Copy the public key to the server. You can use the ssh-copy-id command or manually copy the contents of the public key file to the ~/.ssh/authorized_keys file on the server.
ssh-copy-id -i ~/.ssh/nerd_rsa.pub -p 17133 user@IP
Check the connection via the key.
ssh -i ~/.ssh/nerd_rsa -p 17133 user@IP
Allow certificate authentication (server side)
/etc/ssh/sshd_config
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
Restart.
sudo systemctl restart sshd
Configure the client
ssh_config
For more information, use the man pages: man 5 ssh_config
~/.ssh/config
Host remote
Hostname 192.168.1.100
Port 17133
User digitalnerd
ssh remote
SSH agent to avoid typing passphrase
eval $(ssh-agent)
ssh-add ~/.ssh/nerd_rsa
Enter passphrase for /home/digitalnerd/.ssh/nerd_rsa:
Identity added: /home/digitalnerd/.ssh/nerd_rsa (add comment here)
ssh remote