server-security-wiki/secure-ssh.md

42 lines
1.2 KiB
Markdown
Raw Normal View History

2021-02-20 13:07:27 +00:00
# Secure SSH
## Disable root
Edit `/etc/ssh/sshd_config` and set `PermitRootLogin no` or if you really need root access, e.g. for backups set `PermitRootLogin forced-commands-only`.
## Use Public Key Authentication
Create a new key pair on your client:
```
2023-07-15 00:16:24 +00:00
ssh-keygen -t ed25519 -a 100
2021-02-20 13:07:27 +00:00
```
Remember the path and password you choosed. Append the created public key from `/<your-path>/<key-name>.pub` on your client in the `/home/<user>/.ssh/authorized_keys` on your server. Alternatively you can use the command `ssh-copy-id` on your local client. For this command you can do the following:
```bash
ssh-copy-id -i /<your-path>/<key-name>.pub user@host
```
2021-02-20 13:11:39 +00:00
Now edit `/etc/ssh/sshd_config` on your server and set the following values:
```
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
```
2021-02-20 13:07:27 +00:00
If you changed the path you can add the following to your `~/.ssh/config` file on your client:
```
Host <your-host-or-ip>
User <the-server-username> # optional
IdentityFile /<your-path>/<key-name>
2021-02-20 18:25:43 +00:00
IdentitiesOnly yes # useful if you have problems when trying to login
2021-02-20 13:07:27 +00:00
```
2021-02-20 13:11:39 +00:00
## Apply Changes
2021-02-20 13:07:27 +00:00
To apply changes you made in the ssh config simply run `systemctl restart ssh.service` or `service ssh restart`.