I'm using reference [1] almost exclusively, it is easy to follow and very well written. The reason I am writing stuff down here, is in the case the referenced article goes offline.
Generating Keys
[mrbear@localhost ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mrbear/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Passphrases do not match. Try again.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mrbear/.ssh/id_rsa.
Your public key has been saved in /home/mrbear/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:etv4wn8 4843n3v48nvan80avw2408a4vn588an04845 mrbear@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
| ..o |
| E o= . |
| o. o |
| .. |
| ..S |
| o o. |
| =o.+. |
|. =++.. |
|o=++. |
+-----------------+
[mrbear@localhost ~]$
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mrbear/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Passphrases do not match. Try again.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mrbear/.ssh/id_rsa.
Your public key has been saved in /home/mrbear/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:etv4wn8 4843n3v48nvan80avw2408a4vn588an04845 mrbear@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
| ..o |
| E o= . |
| o. o |
| .. |
| ..S |
| o o. |
| =o.+. |
|. =++.. |
|o=++. |
+-----------------+
[mrbear@localhost ~]$
Copying keys to the server
[mrbear@localhost ~]$ ssh-copy-id mrbear@www.mysite.org
The authenticity of host 'www.mysite.org (10.0.0.11)' can't be established.
ECDSA key fingerprint is SHA256:B&B(&BSf7bFSfb7fF&SFb7SF&tFibFuSOWWFuFBUf76.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
mrbear@www.mysite.org's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'mrbear@www.mysite.org'"
and check to make sure that only the key(s) you wanted were added.
[mrbear@localhost ~]$
The authenticity of host 'www.mysite.org (10.0.0.11)' can't be established.
ECDSA key fingerprint is SHA256:B&B(&BSf7bFSfb7fF&SFb7SF&tFibFuSOWWFuFBUf76.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
mrbear@www.mysite.org's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'mrbear@www.mysite.org'"
and check to make sure that only the key(s) you wanted were added.
[mrbear@localhost ~]$
Logging in
[mrbear@localhost ~]$ ssh mrbear@www.mysite.org
Last login: Mon Sep 24 21:01:12 2018
Last login: Mon Sep 24 21:01:12 2018
Add to sudoers file
Found how to do this at [2].
[root@mysite ~]# usermod -aG wheel mrbear
Disabling Password Authentication
Edit the file /etc/ssh/sshd_config.
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no
# systemctl restart sshd.service
Now what you get when you try is:
$ ssh -l root www.mysite.org
root@www.mysite.org: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Thank the heavens I no longer have to worry about messages as the one below:
root@mysite's password:
Last failed login: Sat Oct 6 10:12:48 CEST 2018 from 10.0.0.1 on ssh:notty
There were 56310 failed login attempts since the last successful login.
Last login: Tue Oct 2 23:23:41 2018
[root@mysite ~]#
Last failed login: Sat Oct 6 10:12:48 CEST 2018 from 10.0.0.1 on ssh:notty
There were 56310 failed login attempts since the last successful login.
Last login: Tue Oct 2 23:23:41 2018
[root@mysite ~]#
I originally had installed fail2ban, as a way to protect against a password-based attack, but even the man page of fail2ban3 indicates that the above way is pretty much better.
References
- [1] Digital Ocean - How To Configure SSH Key-Based Authentication on a Linux Server
- https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server
- [2] Top 20 OpenSSH Server Best Security Practices
- https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
- [3] Fail2ban
- https://www.fail2ban.org/wiki/index.php/Main_Page
- How to disable ssh password login on Linux to increase security
- https://www.cyberciti.biz/faq/how-to-disable-ssh-password-login-on-linux/
No comments:
Post a Comment