## Secure Shell (SSH) ### Generate SSH key pair #### Medium security ssh-keygen -b 4096 #### High security ssh-keygen -b 16384 #### Change private key permissions chmod 600 ~/.ssh/id_rsa ### Client usage To connect to a server, run: ssh -p port user@server-address `port` for default is `22` #### Copy SSH key 1. `sudo apt-get install xclip` or `sudo pacman -S xclip` 2. `xclip -sel clip < ~/.ssh/id_rsa.pub` #### Configuration The client can be configured to store common options and hosts. All options can be declared globally or restricted to specific hosts. For example: ``` ~/.ssh/config # host-specific options Host myserver HostName ssh.heckyel.ga IdentityFile ~/.ssh/id_rsa user Snowden Port 22 ServerAliveInterval 5 ``` With such a configuration, the following commands are equivalent `ssh -p port user@server-address` `ssh myserver` ### Server usage #### Configuration The SSH daemon configuration file can be found and edited in /etc/ssh/sshd_config. To allow access only for some users add this line: AllowUsers user1 user2 To allow access only for some groups: AllowGroups group1 group2 To add a nice welcome message (e.g. from the /etc/issue file), configure the Banner option: Banner /etc/issue #### Securing the authorized_keys file For additional protection, you can prevent users from adding new public keys and connecting from them. In the server, make the authorized_keys file read-only for the user and deny all other permissions: chmod 400 ~/.ssh/authorized_keys