Primary resource: http://pkeck.myweb.uga.edu/ssh/
Normally, one submits a username and password for an SSH connection. This renders the service vulnerable to brute force attacks.
By using keys, no password is transmitted (after the key is copied from the remote user to the SSH server).
In addition to setting up keys, change the port to something other than 22
After setting up keys, disable the ability to login through other means (username/password).
laptopuser@laptop:~$ ssh-keygen -t dsa
OLD: laptopuser@laptop:~$ scp ~/.ssh/id_dsa.pub ubuntuServer:.ssh/authorized_keys2
Problem: the above command overwrites existing keys
NEW: laptopuser@laptop:~$ cat ~/.ssh/id_dsa.pub | ssh ubuntuServer 'cat >> ~/.ssh/authorized_keys'
laptopuser@laptop:~$ ssh serveruser@ubuntuServer
Enter passphrase for key '/home/laptopuser/.ssh/id_dsa':
This will allow you (laptopuser) to log into the "ubuntuServer" without a password.
ssh is on all linux operating systems. For Windows, use putty
To see if ssh is installed on a system called "ubuntuServer",
serveruser@ubuntuServer:~$ ssh serveruser@localhost
The SSH service needs to be installed in ubuntu,
serveruser@ubuntuServer:~$ sudo apt-get install openssh-server
laptopuser@laptop:~$ ssh serveruser@ubuntuServer
The authenticity of host 'ubuntuServer' can't be established.
RSA key fingerprint is 9f:7f:be:76:7f:4a:1b:6f:58:26:b3:f3:93:76:10:e2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ubuntuServer' (RSA) to the list of known hosts.
username@ubuntuServer's password:
Linux ubuntuServer 2.6.27-11-generic #1 SMP Thu Jan 29 19:24:39 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
serveruser@ubuntuServer:~$
Physical setup: you are on a laptop with username laptopuser, and you are attempting to access the remote system ubuntuServer with username serverUser:
Normally,
laptopuser@laptop:~$ ssh serveruser@ubuntuServer
But since I've switched the SSH port to a differernt port, what I get is
laptopuser@laptop:~$ ssh serveruser@ubuntuServer
ssh: connect to host serverIP port 22: Connection refused
Using the correct port,
laptopuser@laptop:~$ ssh -p 666 serveruser@ubuntuServer
serveruser@ubuntuServer's password: <<PASSWORD>> <<ENTER>>
Linux ubuntuServer 2.6.24-22-generic #1 SMP Mon Nov 24 18:32:42 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
Last login: Wed Apr 8 18:14:23 2009 from anothermachineName
serveruser@ubuntuServer:~$
serveruser@ubuntuServer:~$ exit
logout
Connection to 131.151.77.11 closed.
laptopuser@laptop:~$
Now let's set up SSH keys for the laptop user so that there is no password transmitted between laptop and server after this first session.
See http://pkeck.myweb.uga.edu/ssh/
Generating the key:
laptopuser@laptop:~$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/laptopuser/.ssh/id_dsa): <<ENTER>>
Enter passphrase (empty for no passphrase): <<YOUR PASSPHRASE HERE>> <<ENTER>>
Enter same passphrase again: <<YOUR PASSPHRASE HERE>> <<ENTER>>
Your identification has been saved in /home/laptopuser/.ssh/id_dsa.
Your public key has been saved in /home/laptopuser/.ssh/id_dsa.pub.
The key fingerprint is:
a1:e6:fe:4b:2a:61:ff:80:fb:30:dc:5a:c2:ad:c6:89 laptopuser@ubuntuhost
laptopuser@laptop:~$
Next, copy the PUBLIC key to the server from the laptop
laptopuser@laptop:~$ scp ~/.ssh/id_dsa.pub ubuntuServer:.ssh/authorized_keys2
serveruser@ubuntuServer's password: <<YOUR PASSPHRASE HERE>> <<ENTER>>
id_dsa.pub 100% 604 0.6KB/s 00:00
laptopuser@laptop:~$
After this key is set up, no password is transmitted. There IS a password to access the local secret key on the laptop.
laptopuser@laptop:~$ ssh serveruser@ubuntuServer
Enter passphrase for key '/home/laptopuser/.ssh/id_dsa': <<YOUR PASSPHRASE HERE>> <<ENTER>>
Linux ubuntuServer 2.6.27-11-generic #1 SMP Thu Jan 29 19:24:39 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Thu Apr 9 07:22:36 2009 from laptop
serveruser@ubuntuServer:~$
$ sudo gedit /etc/ssh/sshd_config
Port 22
becomes
Port 1022
$ sudo /etc/init.d/ssh restart
Then do
$ ssh -p 1022 -X user@<IP>
for ssh or
$ scp -P 1022 user@<IP> .
for scp
http://kaotickreation.com/2008/05/21/disable-ssh-password-authentication-for-added-security/
$ sudo gedit /etc/ssh/sshd_config
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
Once you save the changes you’ll need to reload the SSH server with the following command.
$ sudo /etc/init.d/ssh reload
Note: sometimes the failure to connect is due to too many failed attempts.
Check the denyhost settings