83 lines
1.6 KiB
Markdown
83 lines
1.6 KiB
Markdown
## Secure Shell (SSH)
|
|
|
|
### Generate SSH key pair
|
|
|
|
```console
|
|
$ ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "john@example.com"
|
|
```
|
|
|
|
#### Change private key permissions
|
|
|
|
```console
|
|
$ chmod 600 ~/.ssh/id_ed25519
|
|
```
|
|
|
|
### Client usage
|
|
|
|
To connect to a server, run:
|
|
|
|
```
|
|
$ ssh -p port user@server-address
|
|
```
|
|
|
|
`port` for default is `22`
|
|
|
|
#### Copy SSH key
|
|
|
|
1. `sudo apt-get install xclip` or `sudo pacman -S xclip`
|
|
2. `xclip -sel clip < ~/.ssh/id_rsa.pub`
|
|
|
|
#### Configuration
|
|
|
|
The client can be configured to store common options and hosts. All options can be declared globally or restricted to specific hosts. For example:
|
|
|
|
```bash
|
|
nano -w ~/.ssh/config
|
|
-------------------------------
|
|
# host-specific options
|
|
Host myserver
|
|
HostName ssh.heckyel.ga
|
|
IdentityFile ~/.ssh/id_rsa
|
|
user Snowden
|
|
Port 22
|
|
ServerAliveInterval 5
|
|
```
|
|
|
|
With such a configuration, the following commands are equivalent
|
|
|
|
```console
|
|
$ ssh -p port user@server-address
|
|
```
|
|
|
|
```console
|
|
$ ssh myserver
|
|
```
|
|
|
|
### Server usage
|
|
|
|
#### Configuration
|
|
|
|
The SSH daemon configuration file can be found and edited in /etc/ssh/sshd_config.
|
|
|
|
To allow access only for some users add this line:
|
|
|
|
AllowUsers user1 user2
|
|
|
|
To allow access only for some groups:
|
|
|
|
AllowGroups group1 group2
|
|
|
|
To add a nice welcome message (e.g. from the /etc/issue file), configure the Banner option:
|
|
|
|
Banner /etc/issue
|
|
|
|
#### Securing the authorized_keys file
|
|
|
|
For additional protection, you can prevent users from adding new public keys and connecting from them.
|
|
|
|
In the server, make the authorized_keys file read-only for the user and deny all other permissions:
|
|
|
|
```console
|
|
$ chmod 400 ~/.ssh/authorized_keys
|
|
```
|