# SSH Setup & Security

##### SSH File Structure

<table border="1" id="bkmrk-file-%2Ffolder-structu" style="border-collapse: collapse; width: 100%;"><colgroup><col style="width: 26.4437%;"></col><col style="width: 44.8613%;"></col><col style="width: 28.6703%;"></col></colgroup><tbody><tr><td>**File-/Folder Structure**  
</td><td>**Description**  
</td><td>**Security** </td></tr><tr><td>~  
</td><td>User Home Directory (e.g. ~ can be /home/username)  
</td><td>  
</td></tr><tr><td>~/.ssh  
</td><td>SSH Ordner im Home Verzeichnis  
</td><td>```shell
chmod 700 ~/.ssh
```

  
</td></tr><tr><td>~/.ssh/config  
</td><td>Erstelle einen neuen Host Eintrag in der ssh config, der Aufbau sollte wie folgt aussehen:   
  
```shell
Host SomeHostAliasName
    HostName domain.tld # or IP
    User root # or another user
```

Eine Verbindung kann dann wie folgt durchgeführt werden:   
  
```shell
ssh SomeHostAliasName
```

</td><td>```shell
chmod 600 ~/.ssh/config
```

</td></tr><tr><td>~/.ssh/id\_rsa  
</td><td>Dein Private Key (niemals an andere übermitteln!!)  
</td><td>```shell
chmod 600 ~/.ssh/id_rsa
```

</td></tr><tr><td>~/.ssh/id\_rsa.pub  
</td><td>Dein Public Key (zum übermitteln an Dritte für Remote-Server Einrichtung)</td><td>```shell
chmod 600 ~/.ssh/id_rsa.pub
```

</td></tr><tr><td>~/.ssh/authorized\_keys  
</td><td>Public Keys die Zugriff auf den aktuellen Host haben  
</td><td>```shell
chmod 600 ~/.ssh/authorized_keys
```

</td></tr><tr><td>~/.ssh/known\_hosts  
</td><td>Einträge zu (trusted) Hosts (Einträge werden i.d.R. automatisch ermittelt und per User Prompt zur Bestätigung erfragt)  
</td><td>```shell
chmod 600 ~/.ssh/known_hosts
```

</td></tr></tbody></table>

##### SSH Commands

<table border="1" id="bkmrk-ssh-commands-descrip" style="border-collapse: collapse; width: 100%;"><colgroup><col style="width: 50.0494%;"></col><col style="width: 50.0494%;"></col></colgroup><tbody><tr><td>**Command**  
</td><td>**Description**  
</td></tr><tr><td>ssh someHostAliasName  
</td><td>Connect to a host from your ~/.ssh/config  
</td></tr><tr><td>ssh-keygen -t rsa -b 4096 -C "your\_email@example.com"</td><td>Create a 4096Bit encrypted SSH Key  
</td></tr><tr><td>ssh-copy-id someHostAliasName  
</td><td>Copies your current ssh pub key to a remote host  
(Alternatively connect to the ssh host and add your public key content to the file ~/.ssh/authorized\_keys)  
</td></tr><tr><td>ssh -Tv git@github.com</td><td>Analyze if a ssh connection is possible to a host (e.g. git@github.com)  
</td></tr><tr><td>ssh -o PubkeyAuthentication=no -o PreferredAuthentications=password someHostAliasName</td><td>Check if a host allows password authentication  
</td></tr></tbody></table>

##### SSH Hardening:   


This hardens SSH + Disables Root Access (do this only if you know what you are doing!!)  
Edit sshd\_config (e.g. `vim /etc/ssh/sshd_config`) and change/add the following:

```shell
PermitRootLogin no           # or "prohibit-password"
PubkeyAuthentication yes
PasswordAuthentication no    # or use Match Blocks instead (see: https://ostechnix.com/disable-ssh-password-authentication-for-specific-user-or-group/)
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM no
X11Forwarding no

# Optional: 
# Match User app-*
#         PasswordAuthentication yes
# 
# Match User admin-*
#         PasswordAuthentication no

```

After changing the file restart the ssh service: `systemctl restart sshd` and verify if you are still able to connect (use a different user than root)!