Creating a key to have access to your server through ssh is the safest way to get access to your server.<\/p>\n
In your client machine just type:<\/p>\n
ssh-keygen -t rsa-sha2-512 -b 4096 -C \"user@domain.com\"<\/pre>\nOr, for an elliptic curve signing algorithm alternative:<\/p>\n
ssh-keygen -t ed25519 -C \"user@domain.com\"<\/pre>\nIt is going to ask you the location, just hit “Enter”, and if you want a password just type, confirm, and the key is created.<\/p>\n
When needed to change the password of the private key issue:<\/p>\n
ssh-keygen -p -f ~\/.ssh\/id_dsa<\/pre>\nOr simply:<\/p>\n
ssh-keygen -p<\/pre>\nFor manually extract the public key from the private:<\/p>\n
ssh-keygen -y -f ~\/.ssh\/id_rsa > ~\/.ssh\/id_rsa.pub<\/pre>\nThe whole directory must be protected from being read by other users:<\/p>\n
chmod 700 -R ~\/.ssh<\/pre>\nTo transfer your key to the server issue the command:<\/p>\n
ssh-copy-id user@domain.com<\/pre>\nConfirm the password that you used to type to log in to your server.<\/p>\n
The public key can be manually installed by appending the id_rsa.pub<\/strong> into the authorized_keys<\/strong>.<\/p>\n
cat ~\/.ssh\/id_rsa.pub >> ~\/.ssh\/authorized_keys<\/pre>\nTo check the algorithm type of an existent key:<\/p>\n
ssh-keygen -l -f ~\/.ssh\/id_rsa<\/pre>\nDone!<\/strong> Now just try to connect again.<\/p>\n
ssh domain.com<\/pre>\nIf you did everything correctly you are already logged in.<\/p>\n
It is always a good idea to have another account set just in case you type something wrong and lock yourself out. If this is the case, log in with the second account, switch to your user, or root, and delete the files inside the folder ~\/.ssh\/.<\/p>\n
As a good practice, always protect your SSH as much as you can. See the recommendations below:<\/p>\n
sudo nano \/etc\/ssh\/sshd_config<\/pre>\nConfiguration parameters you should pay attention to:<\/p>\n
AllowUsers user<\/strong>\r\nPermitRootLogin no\r\nPubkeyAuthentication yes\r\nPasswordAuthentication no\r\nPermitEmptyPasswords no<\/pre>\nReplace “user<\/strong>” with your own user id.\u00a0Restart your server:<\/p>\n
sudo systemctl restart sshd.service<\/pre>\nConsider using an SSHFP<\/strong> (SSH FingerPrint) record in your DNS<\/strong> zone. It will require the following information.<\/span><\/p>\n
\n
- Algorithm<\/strong> (integer)\n
\n
- 1: RSA<\/li>\n
- 2: DSA<\/li>\n
- 3: ECDSA<\/li>\n
- or other.<\/li>\n<\/ul>\n<\/li>\n
- Hash\u00a0<\/strong>Type<\/strong> (integer)\n
\n
- 1: SHA-1<\/li>\n
- 2: SHA-256<\/li>\n
- or other.<\/li>\n<\/ul>\n<\/li>\n
- Fingerprint<\/strong> (text)\n
\n
- Hexadecimal representation of the hash result.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
To obtain the hash and its parameters issue the following command against the Public key with the domain\/IP information.<\/p>\n
ssh-keygen -r domain.com<\/strong> -f ~\/.ssh\/id_rsa.pub<\/strong><\/pre>\nThe output may offer a few options (one per line), where the highlighted numbers are Algorithm<\/strong> (RSA) and Hash Type<\/strong> (SHA-1 and SHA-256) respectively, followed by the Fingerprint<\/strong>.<\/p>\n
domain.com IN SSHFP 1 1<\/strong> 5fc287e33f114f495269480222934d2da805e634<\/strong><\/span>\r\ndomain.com IN SSHFP 1 2<\/strong> c208d0046676861e11437931eba71c604c499ced7fd24bacd7838daa6842d633<\/strong><\/span><\/pre>\nFor ECDSA<\/strong>, would look like this.<\/p>\n
domain.com IN SSHFP 4<\/strong> 1 e65c171139b05c47a44c869d2dffc4dfe255201e\r\ndomain.com IN SSHFP 4<\/strong> 2 3f9648811a18efcdf7976a04eea49af1edb433d0ec9ac28c19d0c29d059e9c70<\/pre>\n
\nBONUS<\/strong><\/p>\n
If you need to hop on a server that is the entry point of a network to reach one internal server, use the ProxyJump functionality:<\/p>\n
ssh -J user1@200.200.200.200 user2@10.0.0.1<\/pre>\nOr create a configuration to automate this process:<\/p>\n
nano ~\/.ssh\/config<\/pre>\nWith the following configuration customized accordingly:<\/p>\n
Host external\r\n HostName 200.200.200.200\r\n User user1\r\nHost internal\r\n HostName 10.0.0.1\r\n User user2\r\n IdentityFile ~\/.ssh\/id_rsa\r\n ProxyJump external<\/pre>\nMany other parameters can be configured in this file:<\/p>\n
Host serverA\r\n HostName 192.168.0.1\r\n User user3\r\n Port 2222\r\n Protocol 2\r\n IdentityFile ~\/.ssh\/serverA.key\r\n LogLevel INFO\r\n Compression yes\r\n ServerAliveInterval 60\r\n ServerAliveCountMax 30\r\n ForwardAgent no\r\n ForwardX11 no\r\n ForwardX11Trusted yes\r\n ProxyJump user1@10.0.0.1:22,user2@10.10.10.100:2222\r\n\r\nHost * !192.168.0.1\r\n User ubuntu<\/pre>\nOr to bypass any pre-configuration and only give the arguments of the command:<\/p>\n
ssh -F \/dev\/null user@host<\/pre>\nDon’t forget to check out LazySSH<\/strong> [Link<\/a>]. It reads the
~\/.ssh\/config<\/code> file and presents a TUI for easy hop-on and off configured servers.<\/p>\n
\nREAD MORE<\/strong><\/p>\n
\n
- Discover new functionalities over SSH on the post Reverse Shell with AutoSSH<\/strong> [Link<\/a>].<\/li>\n
- Highlight bad practices and smells with SSH Audit Server and Client<\/strong> [Link<\/a>].<\/li>\n
- Apply defence in layers by Using Port Knocking to Secure SSH<\/strong> [Link<\/a>].<\/li>\n
- You can not skip Hardening OpenSSH with 2FA<\/strong> [Link<\/a>].<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
Creating a key to have access to your server through ssh is the safest way […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,6],"tags":[],"class_list":["post-423","post","type-post","status-publish","format-standard","hentry","category-linux","category-raspberry-pi"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/423","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=423"}],"version-history":[{"count":19,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/423\/revisions"}],"predecessor-version":[{"id":5173,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/423\/revisions\/5173"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}