SSH Configuration
Install SSH
Start by installing SSH.
apt install ssh
systemctl enable ssh
Sudo
For best practices you should disable root login and create a new user with sudo access.
adduser myuser
Add the user to the sudo group.
usermod -aG sudo myuser
Whenever needed you should use sudo to execute binaries with root privileges. To pipe text use sudo in combination with tee.
If you know what you are doing you can switch to root with “sudo su”
Private Key Authentication
Instead of password authentication we will stick to private key authentication which uses asymmetric encryption.
If you use Linux copy your existing public key to the server and continue with configuration.
ssh-copy-id myuser@server
If you use Windows generate a new RSA key pair on the server and copy the private key to your pc.
You can use Puttygen to convert it into a ssh-2 key to use with PuTTY, FileZilla, WinSCP, etc.
ssh-keygen -b 4096 -t rsa -m PEM
cat /tmp/key_rsa
# copy the key
Activate the public key on the server and remove the private key.
ssh-copy-id -i /tmp/key_rsa.pub myuser@localhost
rm /tmp/key*
Try to authenticate with your private key using SSH.
Configuration
We disable all third party pam authentication modules, use SSH version 2, set a login grace timeout of 30 seconds, add a inactive timeout of 900 seconds, disable root login and force private key authentication.
cat << 'EOF' >> /etc/ssh/sshd_config
UsePAM no
Protocol 2
LoginGraceTime 30
ClientAliveInterval 900
ClientAliveCountMax 0
Banner /etc/issue.net
DebianBanner no
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
AllowUsers myuser
EOF
Adjust the last line “AllowUsers” with your user list, separated by space.
Make sure to keep a root SSH terminal open in case something goes wrong.
Restating the SSH service will not drop any open connections.
Restart SSH and try to authenticate with myuser using your private key.
systemctl restart ssh
Write a Reply or Comment