SSH Configuration

Read time 2 minutes

Install SSH

Start by installing SSH.

apt install ssh
systemctl enable ssh

Sudo

For best practices you should disable root login and create a new user with sudo access.

adduser myuser

Add the user to the sudo group.

usermod -aG sudo myuser

Whenever needed you should use sudo to execute binaries with root privileges. To pipe text use sudo in combination with tee.

If you know what you are doing you can switch to root with “sudo su”

Private Key Authentication

Instead of password authentication we will stick to private key authentication which uses asymmetric encryption.

If you use Linux copy your existing public key to the server and continue with configuration.

ssh-copy-id myuser@server

If you use Windows generate a new RSA key pair on the server and copy the private key to your pc.

You can use Puttygen to convert it into a ssh-2 key to use with PuTTY, FileZilla, WinSCP, etc.

ssh-keygen -b 4096 -t rsa -m PEM
cat /tmp/key_rsa
# copy the key

Activate the public key on the server and remove the private key.

ssh-copy-id -i /tmp/key_rsa.pub myuser@localhost
rm /tmp/key*

Try to authenticate with your private key using SSH.

Configuration

We disable all third party pam authentication modules, use SSH version 2, set a login grace timeout of 30 seconds, add a inactive timeout of 900 seconds, disable root login and force private key authentication.

cat << 'EOF' >> /etc/ssh/sshd_config
UsePAM no
Protocol 2
LoginGraceTime 30
ClientAliveInterval 900
ClientAliveCountMax 0
Banner /etc/issue.net
DebianBanner no
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
AllowUsers myuser
EOF

Adjust the last line “AllowUsers” with your user list, separated by space.

Make sure to keep a root SSH terminal open in case something goes wrong.

Restating the SSH service will not drop any open connections.

Restart SSH and try to authenticate with myuser using your private key.

systemctl restart ssh