Monday, August 15, 2016

SSH

SSH Client

Common client files in the ~/.ssh/ directory

known_hosts => ip/hostname and fingerprints of servers that have been seen before
authorized_keys => concatenated list of public keys that can login as this user without a password

To generate a public/private RSA key pair (id_rsa and id_rsa.pub)

ssh-keygen -t rsa -b 4096 Private keys must be readable only by the user or SSH will ignore it for safety. Also, the .ssh directory must be readable only by the user.

To copy the public key to a server

ssh-copy-id -i id_rsa.pub user@server
After completion, make sure the key was appended to the .ssh/authorized_keys file on the server.

SSHd server

The config file is /etc/ssh/sshd_config

Best practice security settings

  • On public facing servers, always disable root logins with PermitRootLogin no
  • For extra security, specifically limit the users that can login with AllowUsers neo trinity
  • Allow login via keys with AuthorizedKeysFile .ssh/authorized_keys
  • You can change the port that SSH listens on, but a good port scanner will find it wherever it is