## Secure Shell (SSH)

### Generate SSH key pair

```console
$ ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "john@example.com"
```

#### Change private key permissions

```console
$ chmod 600 ~/.ssh/id_ed25519
```

### Client usage

To connect to a server, run:

```console
$ ssh -p port user@server-address
```

`port` for default is `22`

#### Copy SSH key

1. `sudo apt-get install xclip` or `sudo pacman -S xclip`
2. `xclip -sel clip < ~/.ssh/id_ed25519.pub`

#### Configuration

The client can be configured to store common options and hosts. All options can be declared globally or restricted to specific hosts. For example:

```console
$ nano -w ~/.ssh/config
```

```bash
# host-specific options
Host myserver
    HostName ssh.heckyel.ga
    IdentityFile ~/.ssh/id_ed25519
    user Snowden
    Port 22
    ServerAliveInterval 5
```

With such a configuration, the following commands are equivalent

```console
$ ssh -p port user@server-address
```

```console
$ ssh myserver
```

### Server usage

#### Configuration

The SSH daemon configuration file can be found and edited in /etc/ssh/sshd_config.

To allow access only for some users add this line:

```bash
AllowUsers    user1 user2
```

To allow access only for some groups:

```bash
AllowGroups   group1 group2
```

To add a nice welcome message (e.g. from the /etc/issue file), configure the Banner option:

```bash
Banner /etc/issue
```

#### Securing the authorized_keys file

For additional protection, you can prevent users from adding new public keys and connecting from them.

In the server, make the authorized_keys file read-only for the user and deny all other permissions:

```console
$ chmod 400 ~/.ssh/authorized_keys
```