Secure Shell (SSH) dominates remote computer access, providing a secure and efficient way to connect to systems. OpenSSH, an open source implementation of SSH, follows a client-server model for secure communication.
By default, OpenSSH operates on port 22, ensuring compatibility. An important aspect of OpenSSH configuration is key-based authentication, offering increased security and a simplified login process.
As organizations strive to protect their systems and sensitive data, understanding and implementing key-based authentication becomes crucial. This lab explores SSH configuration with a focus on leveraging key-based authentication. By generating cryptographic key pairs and configuring SSH servers and clients, administrators can improve security and reduce risks associated with passwords.
This tutorial covers server configuration, key pair generation, key-based authentication setup, disabling password authentication, and optional port customization for further hardening. Gain expertise in securing remote access and safeguarding sensitive data through SSH configuration techniques.
Prerequisites
To follow up , I assume you have Oracle VM Virtualbox installed.
For our server, we’re using Kali linux VM.
As our client, we are using Fedora Linux Distro.
Familiar with linux and bash command line.
Familiar with networking concepts and operating systems.
So, lets start
Step 1
Check if ssh is installed on both the client and server.
Running ssh -Von the command prompt returns the version of OpenSSH installed in the system .
Step 2
Configure the ssh server to accept ssh connection.
This is done by ensuring the ssh daemon is properly running on the server.
Run this command to check if the ssh daemon is installed,
Sudo systemctl status ssh
If the status is not found, you’ll need to install the openssh-server package.
To install this, run the following commands..
Sudo apt update
Sudo apt install openssh-server
Then we run the status command again to check
To enable the openssh-server, we run the command,
Sudo systemctl enable ssh
Step 3
Get the IPv4 address and username of the server.
Running hostname -I on the terminal retrieves the IP address,
whoami retrieves the username.
Step 4
Now, we connect to the server from the client computer in a syntax that looks like an email address.
The syntax is ssh serverusername@serverIP
In my case, I run ssh caleb@192.168.100.6
You’ll be required to input the server password , accept fingerprints and you are in the shell of the server.
Step 5
Keys-based authentication configuration
The client computer generates a pair of keys, a public and private key that are cryptographically matched.
The public key is uploaded to the server and the private key is hidden on the computer..
Ssh-keygen is the command line tool used for generating SSH key pairs.
Now to generate a key pair, save the pair in the hidden .ssh filepath and add a comment to the keys, i run this command.
ssh-keygen -t ed25519 -f ~/.ssh/caleb -C "calebfedora"
Ssh-keygen is the program responsible for generating the ssh key pairs.;
-t ed25519 specifies to use the ed25519 algorithm to generate the ssh keys
-f ~/.ssh/caleb specifies to save the generated keys in the filename- caleb, in the hidden directory .ssh
-C “calebfedora” is a simple way to explain who the key is for. I’ve set the comment here to “calebfedora”.
You will asked to input a passphrase, and again. At this point, your screen should look like this and the keys have been created.
Listing the hidden dir with the command
ls .ssh will show you the public and private keys generated.
Step 6
Send the public key to the remote server using the ssh-copy-id command.
The syntax is
Ssh-copy-id -i .ssh/caleb.pub caleb@192.168.100.6
Ssh-copy-id is the command used to install or copy the public key to a remote server for passwordless SSH authentication.
-i .ssh/caleb.pub specifies the path to the public key file that will be copied to the remote server. The .pub extension indicates that it is the public key file associated with the SSH key pair.
caleb@192.168.100.6 specifies the destination server where the public key will be copied.
When you run this command, it will copy the contents of the caleb.pub file to the appropriate location on the remote server, allowing you to authenticate with your private key instead of using a password when connecting via SSH.
You will be prompted for the server's password, your screen should look this indicating the key was added successfully.
Running the ssh command again
ssh caleb@192.168.100.6 will ask me for the passphrase.
In linux, this passphrase will be saved to the keychain by default, meaning we won’t have to enter this passphrase when next we want to run the ssh connection.
Step 7
Turning off password authentication on the server
Disabling password authentication is an essential measure in SSH hardening to protect the server's shell from brute force attacks and similar threats.
On the server, we will edit the ssh daemon config file, run this command to access the file..
sudo nano /etc/ssh/sshd_config
Scroll down to PasswordAuthentication, comment out and change yes to no.
Your screen should look like this
Save this change and restart the ssh daemon with the command
Sudo systemctl reload ssh
Another ssh hardening technique is to change the default port away from 22 to another port number.
For instance, if we change the port to 6789, this will change the syntax to
ssh -p 6789 caleb@192.168.100.6
Top comments (0)