SSH Setup & Security
SSH File Structure
| File-/Folder Structure |
Description |
Security |
| ~ |
User Home Directory (e.g. ~ can be /home/username) |
|
| ~/.ssh |
SSH Ordner im Home Verzeichnis |
|
| ~/.ssh/config |
Erstelle einen neuen Host Eintrag in der ssh config, der Aufbau sollte wie folgt aussehen: |
|
| ~/.ssh/id_rsa |
Dein Private Key (niemals an andere übermitteln!!) |
|
| ~/.ssh/id_rsa.pub |
Dein Public Key (zum übermitteln an Dritte für Remote-Server Einrichtung) |
|
| ~/.ssh/authorized_keys |
Public Keys die Zugriff auf den aktuellen Host haben |
|
| ~/.ssh/known_hosts |
Einträge zu (trusted) Hosts (Einträge werden i.d.R. automatisch ermittelt und per User Prompt zur Bestätigung erfragt) |
|
SSH Commands
| Command |
Description |
| ssh someHostAliasName |
Connect to a host from your ~/.ssh/config |
| ssh-keygen -t rsa -b 4096 -C "your_email@example.com" | Create a 4096Bit encrypted SSH Key |
| ssh-copy-id someHostAliasName |
Copies your current ssh pub key to a remote host |
| ssh -Tv git@github.com | Analyze if a ssh connection is possible to a host (e.g. git@github.com) |
| ssh -o PubkeyAuthentication=no -o PreferredAuthentications=password someHostAliasName | Check if a host allows password authentication |
SSH Hardening:
Edit /etc/ssh/sshd_config and change/add the following
(keep your current session open and verify that you are still able to connect):
PasswordAuthentication no # or use Match Blocks instead (see: https://ostechnix.com/disable-ssh-password-authentication-for-specific-user-or-group/)
PubkeyAuthentication yes
PermitRootLogin no # or "prohibit-password"
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM no
X11Forwarding noAfter changing the file restart the ssh service: systemctl restart sshd