====== Security ======


===== Configure SSH Key-Based Authentication =====

==== Generate a public/private keypair ====
 
//''ssh-keygen -b 4096 -t rsa''//

<code>
username@client:~ $ ssh-keygen -b 4096 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Created directory '/home/username/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa
Your public key has been saved in /home/username/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:Jdf1vcisLk7l3FKMqAFT+4I3A9vBITCMfRSNBqIMTjM username@client
The key's randomart image is:
+---[RSA 4096]----+
|XE.oo+ .      .  |
|X+= + o .  . . ..|
|o= o o .. o .   o|
|..o . + .+. = . .|
|.. + . oSo o * . |
|    o   + + +    |
|       . . = .   |
|        ... .    |
|        ....     |
+----[SHA256]-----+
username@client:~ $
</code>
\\

==== Copy the public key from the client to the remote_host====

//''ssh-copy-id username@remote_host''//
<code>
username@client:~ $ ssh-copy-id username@remote_host
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/username/.ssh/id_rsa.pub"
The authenticity of host 'remote_host (remote_host)' can't be established.
ECDSA key fingerprint is SHA256:bIeIlzk+BiG8ou+XOtlir5O2PoKQJqq5UFkWzOAtid4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@remote_host's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'username@remote_host'"
and check to make sure that only the key(s) you wanted were added.

username@client:~ $ ssh username@remote_host
Linux remote_host 5.15.74-v7l+ #1595 SMP Wed Oct 26 11:05:08 BST 2022 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jul  6 08:14:38 2022 from 172.16.1.36
username@remote_host:~ $
</code>
\\

If ssh-copy-id isn't available, copy the public key with //''ssh''// or print the public key and add it manually the the //''~/.ssh/authorized_keys"''// file on the remote_host.
//''cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"''//

==== Configure key-based authentication only ====

If you want the SSH Server to only allow key-based authentication, edit the //''/etc/ssh/sshd_config''// file on the remote_host.

//''vi /etc/ssh/sshd_config''//
<code>
...
PasswordAuthentication no
...
</code>

==== Restart the SSH Daemon ====

Only required if the //''/etc/ssh/sshd_config''// has been modified
//''systemctl restart ssh''//

----
===== Allow root login =====

//''vi /etc/ssh/sshd_config''//
<code>
...
PermitRootLogin yes
...
</code>

==== Restart the SSH Daemon ====
//''systemctl restart ssh''//