Wednesday, October 22, 2014

Setting Up SSH on Lubuntu

To install SSH on Ubuntu/Lubuntu:
sudo apt-get install openssh-server

Backup the original default configuration file:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
sudo chmod a-w /etc/ssh/sshd_config.factory-defaults

Secure the in-use configuration using whichever text editor you prefer; I'm using nano:
sudo nano /etc/ssh/sshd_config

by changing the
# Authentication:
LoginGraceTime 30
PermitRootLogin no
AllowUsers myuser myotheruser
StrictModes yes
RSAuthentication yes
PubkeyAuthentication yes

then also find and set:
PermitEmptyPasswords no
PasswordAuthentication no
* Use the username(s) of the user(s) who should have remote access to the server enabled, not "myuser" or "myotheruser".

These settings reduce the amount of time a connection has to authenticate, prevents direct remote access to the root account, exclusively permits remote access by the listed user(s), and exclusively permits public key authentication.

You can optionally set OpenSSH to use a non-standard port (i.e. any port other than 22; pick one you aren't going to be using for anything else; the option should be near the top):
Port 22
If you want to know what ports may be used for something else then check the List of TCP and UDP port numbers on Wikipedia.

Don't forget to restart the service to apply the newly altered the SSH configuration:
sudo service ssh restart

Since you have just disabled password-based authentication, you will need to set up public key authentication. Log in as the user you want to have remote access and create a public-private SSH key pair in the user's home directory.
mkdir ~/.ssh
chmod 700 ~/.ssh
ssh-keygen -t rsa

Although you can use the default save location, you will eventually want the keys named for they open/unlock (in this case, the server + user they are to).

Now that you have your key pair, copy the private key (the one not ending in ".pub") to the local client machine you want to remote into the server from (e.g. using a USB thumb drive). If the local client is running Windows, then you need to download PuTTY and then use PuTTYgen to open the private key and export it as .ppk for PuTTY. Alternatively, you can generate the key pair using PuTTYgen and copy the public key, exported as an OpenSSH key, to the server you want to remotely access (placed into the ~/,ssh/ directory).
Once you have the public key on the server in the correct home /.ssh/ directory, restrict its file permissions and add it to the authorized keys file:
cat ~/.ssh/ >> ~/.ssh/authorized_keys
* Use the file name for your public key if it is not named the default "id_rsa".

Test logging in remotely using the public key and its passphrase. If it works then delete the public key from the server:
rm ~/.ssh/

Services, Tools, and Resources


No comments:

Post a Comment