Set Up An Ssh Server

First step: Create RSA keys

-To create the ssh key, login as the user name you want to create the keys for.
Your login should be something like this:

UserName@rita:~$

- Type the following command:

UserName@rita:~$ ssh-keygen

   Generating public/private rsa key pair.
   Enter file in which to save the key (/home/UserName/.ssh/id_rsa):

- Press enter and type in the key that will be used for the certificate, or just press enter if you want a passwordless ssh-key than can be used between servers.

Enter same passphrase again:

- Type the key once again.

- When you have done this, copy /home/UserName/.ssh/id_rsa to a folder in your personal computer or the server that should connect to this one using the key.

- If your personal computer runs windows, download and open puttygen http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe
- Click "Load"
- Change the file type to "All files" instead of the default .ppk
- Load the key we just saved
- Type your password and it should say: "Success".
- Select "Save private key" and save your private key we just generated on putty format on the same directory with the name you prefer.

It's important that you keep both keys on a safe place.

Second step: Configure the SSH server

- Create your user in the server and give it a password.
- Create a .ssh directory within your user home directory
- Copy the file you generated earlier named id_rsa.pub to /home/UserName/.ssh/authorized_keys
- Permission are very important in this scenario. They should be as follows:

root@rita:/etc/ssh# ls -la /home/

drwxr-x---  3 UserName     users            4096 2008-11-03 15:17 mramos
root@rita:/etc/ssh# ls -la /home/UserName

drwx------  2 UserName  users      4096 2008-11-04 09:16 .ssh
root@rita:/etc/ssh# ll /home/UserName/.ssh/
total 20
drwx------ 2 UserName users 4096 2008-11-04 09:16 .
drwxr-x--- 3 UserName users 4096 2008-11-03 15:17 ..
-rw------- 1 UserName users  393 2008-10-24 09:55 authorized_keys

- Take a backup of your current configuration ssh config

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +%d%b%g%H%M%S`

- Change/add the values in sshd_config to look like th¡s:

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 60
PermitRootLogin no
StrictModes yes
AllowUsers UserName1 UserName2 UserNameX

RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM no

In the configuration file you can add an extra port directive:

Port 2222

This way you can block in your firewall port 22, and only listen for connections on a different port.
This will avoid all common script kiddies knocking on your ssh port.
So you only have to worry for real alarms on port 2222.

If you are using an Ubuntu-like distro, set up a real password for root:

passwd

- Before going any further, try connecting with putty to the server using the RSA key.

If it works, great!!!
If it doesn't, please review all the previous steps.

Next thing is to restart the ssh server.
Note that you will not lose your actual session, you'll be "+- safe".

The final steps are a configuration review.

Try to connect to the server with your user using your RSA key. It should work just fine.

Try to connect to the server with your user without an RSA key.
This shouldn't work. You should get an error message just after the inputting the user name.

Voila!!!

Next thing to do is to configure Fail2ban for SSH and other services :)

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License