Differences

This shows you the differences between two versions of the page.

--- security:security_main [2022/11/19 20:00] – srohr
+++ security:security_main [2022/11/19 20:11] (current) – srohr
@@ Line 1: / Line 1: @@
+====== Security ======
+===== Configure SSH Key-Based Authentication =====
+==== Generate a public/private keypair ====
+//''ssh-keygen -b 4096 -t rsa''//
+<code>
+username@client:~ $ ssh-keygen -b 4096 -t rsa
+Generating public/private rsa key pair.
+Enter file in which to save the key (/home/username/.ssh/id_rsa):
+Created directory '/home/username/.ssh'.
+Enter passphrase (empty for no passphrase):
+Enter same passphrase again:
+Your identification has been saved in /home/username/.ssh/id_rsa
+Your public key has been saved in /home/username/.ssh/id_rsa.pub
+The key fingerprint is:
+SHA256:Jdf1vcisLk7l3FKMqAFT+4I3A9vBITCMfRSNBqIMTjM username@client
+The key's randomart image is:
++---[RSA 4096]----+
+|XE.oo+ .      .  |
+|X+= + o .  . . ..|
+|o= o o .. o .   o|
+|..o . + .+. = . .|
+|.. + . oSo o * . |
+|    o   + + +    |
+|       . . = .   |
+|        ... .    |
+|        ....     |
++----[SHA256]-----+
+username@client:~ $
+</code>
+\\
+==== Copy the public key from the client to the remote_host====
+//''ssh-copy-id username@remote_host''//
+<code>
+username@client:~ $ ssh-copy-id username@remote_host
+/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/username/.ssh/id_rsa.pub"
+The authenticity of host 'remote_host (remote_host)' can't be established.
+ECDSA key fingerprint is SHA256:bIeIlzk+BiG8ou+XOtlir5O2PoKQJqq5UFkWzOAtid4.
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
+/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
+username@remote_host's password:
+Number of key(s) added: 1
+Now try logging into the machine, with:   "ssh 'username@remote_host'"
+and check to make sure that only the key(s) you wanted were added.
+username@client:~ $ ssh username@remote_host
+Linux remote_host 5.15.74-v7l+ #1595 SMP Wed Oct 26 11:05:08 BST 2022 armv7l
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+Last login: Wed Jul  6 08:14:38 2022 from 172.16.1.36
+username@remote_host:~ $
+</code>
+\\
+If ssh-copy-id isn't available, copy the public key with //''ssh''// or print the public key and add it manually the the //''~/.ssh/authorized_keys"''// file on the remote_host.
+//''cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"''//
+==== Configure key-based authentication only ====
+If you want the SSH Server to only allow key-based authentication, edit the //''/etc/ssh/sshd_config''// file on the remote_host.
+//''vi /etc/ssh/sshd_config''//
+<code>
+...
+PasswordAuthentication no
+...
+</code>
+==== Restart the SSH Daemon ====
+Only required if the //''/etc/ssh/sshd_config''// has been modified
+//''systemctl restart ssh''//
+----
+===== Allow root login =====
+//''vi /etc/ssh/sshd_config''//
+<code>
+...
+PermitRootLogin yes
+...
+</code>
+==== Restart the SSH Daemon ====
+//''systemctl restart ssh''//