I. Abstract
All of us know, there are lots of bad guys out there just trying to brute force our ssh ports. The following article provides information about the first steps to be performed when setting up a new webserver running Debian Etch.
For security reasons we recommend applying these how to’s before proceeding
- Mandatory: How to secure your Debian server by updating the buggy openSSH Debian package (read tutorial here)
- Optional: How to secure your Debian server by changing the SSH port number (read tutorial here)
The following howto will show you how to enable SSH login without a server based password (passwordless login) and how to disable password login in general on your server.
II. Generate SSH public- private-key pair
- Generate keypair on your Linux client machine (works on Cygwin and Mac OS X as well!)
client$ mkdir ~/.ssh
client$ chmod 700 ~/.ssh
client$ cd .ssh
client$ ssh-keygen -q -f id_rsa -t rsa
- You will be asked to provide a passphrase to encrypt your private key. Although you might leave this empty, we strongly recommend to provide it – for you own safety
- In the folder called
.ssh
you will then find those two files:
id_rsa
> contains private-key (encrypted with your passphrase)
id_rsa.pub
> contains public-key (to be put on your Etch Webserver)
III. Upload public-key to server
- In detail: the output of id_rsa.pub (which in fact is a textfile) is pushed via ssh on your root’s homefolder and being saved there as id_rsa.remote:
client$ cat id_rsa.pub | ssh root@yourdomain.net cat “>“ id_rsa.remote
IV. Activate public- private-key authentication
- log in to your server
client$ ssh root@yourdomain.net (provide your password)
- you may install nano (if you like vim, stay with vim), imho nano is faster for simpler tasks, but vim is much more powerful, so having both is no loss ;-)
server$ apt-get install nano
- Edit SSH configuration to allow public-key login
server$ nano /etc/ssh/sshd_config
- Allow AuthorizedKeysFile only (still in
sshd_config
)
AuthorizedKeysFile %h/.ssh/authorized_keys
- Disallow Password driven login (still in
sshd_config
)
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
- Save and exit (in nano: ctrl + x)
- restart ssh deamon
server$ /etc/init.d/ssh restart
- Go back to your root’s home folder
server$ cd
- Makedir .ssh
server$ mkdir .ssh
- Copy uploaded id_rsa.remote to .ssh folder
server$ cp id_rsa.remote .ssh/authorized_keys
V. Test your configuration
- Don’t log out of your server, instead open a second terminal on your client machine to test your new configuration:
client2$ ssh root@yourdomain.net
(provide the passphrase for your private-key)
- If everything works well, congratulations you’re done, consider clicking our sponsor (non offensive Google Adsense) to help maintaining this project free for all of you…
VI. Kindly Sponsored by
VII. Further steps
If you didn’t already do it. For further improving your server’s security you probably want to change ssh port address from 22 to anything else? Read here, how to do that…