LKNOG Wiki

User Tools

Site Tools

Trace:
lknog3:netops:ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
lknog3:netops:ssh [2019/10/01 18:53] – [Secure SHell (SSL)] lknog_adminlknog3:netops:ssh [2023/01/31 14:21] (current) – external edit 127.0.0.1
Line 9: Line 9:
  
   * Click open.   * Click open.
-  * It will ask for username followed by password. +  * When you are log in to a server for the first time putty will ask you to confirm crypto signature of the server. For the added security the signature by clicking **Yes** 
-  * Logout/close this session.+{{:lknog3:netops:signatr.png?400|}} 
 +  * Then It will ask for username followed by password. 
 +  * **logout** to close this session.
  
 ==== Public Key Authentication ==== ==== Public Key Authentication ====
Line 18: Line 20:
  
   * Start the PuTTYgen utility, by double-clicking on its .exe file.   * Start the PuTTYgen utility, by double-clicking on its .exe file.
-  * For Type of key to generate, select SSH-2 RSA+  * For Type of key to generate, select **RSA**
   * In the Number of bits in a generated key field, specify either 2048 or 4096 (increasing the bits makes it harder to crack the key by brute-force methods).   * In the Number of bits in a generated key field, specify either 2048 or 4096 (increasing the bits makes it harder to crack the key by brute-force methods).
   * Click the Generate button.   * Click the Generate button.
Line 28: Line 30:
   * A private/ public key pair has now been generated.   * A private/ public key pair has now been generated.
   * In the Key comment field, enter your email address.   * In the Key comment field, enter your email address.
-  * The Key passphrase field & re-type the same passphrase in the Confirm passphrase field.9. Click the Save private key button and save as private_key .+  * The Key passphrase field & re-type the same passphrase in the Confirm passphrase field. 
 +  * Click the Save private key button and save as private_key .
   *  Right-click in the text field labeled Public key for pasting into OpenSSH authorized_keys file and choose Select All.   *  Right-click in the text field labeled Public key for pasting into OpenSSH authorized_keys file and choose Select All.
 {{https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018ssh/puttygen2.png}} {{https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018ssh/puttygen2.png}}
Line 52: Line 55:
   * Tap the **i** key on your keyboard & right-click your mouse to paste.   * Tap the **i** key on your keyboard & right-click your mouse to paste.
   * To save, tap the following keys on your keyboard (in this order): **Esc, :wq** Enter.   * To save, tap the following keys on your keyboard (in this order): **Esc, :wq** Enter.
 +  * Log out from the server.
  
 === Create a PuTTY Profile to Save Your Server’s Settings === === Create a PuTTY Profile to Save Your Server’s Settings ===
Line 93: Line 97:
   * You will get some QR code output like bellow:   * You will get some QR code output like bellow:
 {{https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018ssh/qr.png}} {{https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018ssh/qr.png}}
 +
 +If you can't see the full QR code in your putty screen, use the google url given, on your browser.
  
 You will be prompted for some configurations. You will be prompted for some configurations.
Line 99: Line 105:
   * Next it will ask several questions; unless you have a good reason to, Just enter "y" for them.   * Next it will ask several questions; unless you have a good reason to, Just enter "y" for them.
 <code> <code>
-Do you want me to update your "/home/fakrul/.google_authenticator" file (y/n)+Do you want me to update your "/home/thilina/.google_authenticator" file(y/n) 
 Do you want to disallow multiple uses of the same authentication Do you want to disallow multiple uses of the same authentication
 token? This restricts you to one login about every 30s, but it increases token? This restricts you to one login about every 30s, but it increases
-your chances to notice or even prevent man-in-the-middle attacks (y/n) +your chances to notice or even prevent man-in-the-middle attacks (y/n) 
-By default, tokens are good for 30 seconds and in order to compensate for + 
-possible time-skew between the client and the server, we allow an extra +By default, a new token is generated every 30 seconds by the mobile app. 
-token before and after the current time. If you experience problems with poor +In order to compensate for possible time-skew between the client and the server, 
-time synchronization, you can increase the window from its default +we allow an extra token before and after the current time. This allows for a 
-size of 1:30min to about 4min. Do you want to do so (y/n)+time skew of up to 30 seconds between authentication server and client. If you 
 +experience problems with poor time synchronization, you can increase the window 
 +from its default size of 3 permitted codes (one previous code, the current 
 +code, the next code) to 17 permitted codes (the 8 previous codes, the current 
 +code, and the 8 next codes)This will permit for a time skew of up to 4 minutes 
 +between client and server. 
 +Do you want to do so(y/n) 
 If the computer that you are logging into isn't hardened against brute-force If the computer that you are logging into isn't hardened against brute-force
 login attempts, you can enable rate-limiting for the authentication module. login attempts, you can enable rate-limiting for the authentication module.
 By default, this limits attackers to no more than 3 login attempts every 30s. By default, this limits attackers to no more than 3 login attempts every 30s.
-Do you want to enable rate-limiting (y/n)+Do you want to enable rate-limiting(y/n) 
 </code> </code>
  
 === Enable two factor authentication for SSH === === Enable two factor authentication for SSH ===
-  * Edit the /etc/pam.d/sshd file+  * Edit the /etc/pam.d/common-session file
 <code> <code>
-sudo vi /etc/pam.d/sshd+sudo vi /etc/pam.d/common-session
 </code> </code>
-  * Add the following line:+  * Add the following line at the end:
 <code> <code>
-auth required pam_google_authenticator.so+auth required pam_google_authenticator.so nullok
 </code> </code>
   * **:wq** Save and quit.   * **:wq** Save and quit.
Line 132: Line 147:
 ChallengeResponseAuthentication yes ChallengeResponseAuthentication yes
 </code> </code>
 +  * Add following to the end.
 +<code>
 +AuthenticationMethods publickey,keyboard-interactive
 +</code> 
   * **:wq** Save and quit.   * **:wq** Save and quit.
   * Now you need to reload the ssh service. You can do it to way:   * Now you need to reload the ssh service. You can do it to way:
lknog3/netops/ssh.1569956010.txt.gz · Last modified: 2023/01/31 14:21 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki