blob: 3901a77cbd6df1fc733f69235148ae176661bad4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
## Secure Shell (SSH)
### Generate SSH key pair
#### Medium security
ssh-keygen -b 4096
#### High security
ssh-keygen -b 16384
#### Change private key permissions
chmod 600 ~/.ssh/id_rsa
### Client usage
To connect to a server, run:
ssh -p port user@server-address
`port` for default is `22`
#### Copy SSH key
1. `sudo apt-get install xclip` or `sudo pacman -S xclip`
2. `xclip -sel clip < ~/.ssh/id_rsa.pub`
#### Configuration
The client can be configured to store common options and hosts. All options can be declared globally or restricted to specific hosts. For example:
```
~/.ssh/config
# host-specific options
Host myserver
HostName ssh.heckyel.ga
IdentityFile ~/.ssh/id_rsa
user Snowden
Port 22
ServerAliveInterval 5
```
With such a configuration, the following commands are equivalent
`ssh -p port user@server-address`
`ssh myserver`
### Server usage
#### Configuration
The SSH daemon configuration file can be found and edited in /etc/ssh/sshd_config.
To allow access only for some users add this line:
AllowUsers user1 user2
To allow access only for some groups:
AllowGroups group1 group2
To add a nice welcome message (e.g. from the /etc/issue file), configure the Banner option:
Banner /etc/issue
#### Securing the authorized_keys file
For additional protection, you can prevent users from adding new public keys and connecting from them.
In the server, make the authorized_keys file read-only for the user and deny all other permissions:
chmod 400 ~/.ssh/authorized_keys
|
