Differences

This shows you the differences between two versions of the page.

--- lknog3:netops:ssh [2019/10/01 18:53] – created lknog_admin
+++ lknog3:netops:ssh [2023/01/31 14:21] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
-===== Secure SHell (SSL) =====
+===== Secure SHell (SSH) =====
@@ Line 9: / Line 9: @@
   * Click open.
-  * It will ask for username followed by password.
+  * When you are log in to a server for the first time putty will ask you to confirm crypto signature of the server. For the added security the signature by clicking **Yes**
-  * Logout/close this session.
+{{:lknog3:netops:signatr.png?400|}}
+  * Then It will ask for username followed by password.
+  * **logout** to close this session.
 ==== Public Key Authentication ====
@@ Line 18: / Line 20: @@
   * Start the PuTTYgen utility, by double-clicking on its .exe file.
-  * For Type of key to generate, select SSH-2 RSA
+  * For Type of key to generate, select **RSA**
   * In the Number of bits in a generated key field, specify either 2048 or 4096 (increasing the bits makes it harder to crack the key by brute-force methods).
   * Click the Generate button.
@@ Line 28: / Line 30: @@
   * A private/ public key pair has now been generated.
   * In the Key comment field, enter your email address.
-  * The Key passphrase field & re-type the same passphrase in the Confirm passphrase field.9. Click the Save private key button and save as private_key .
+  * The Key passphrase field & re-type the same passphrase in the Confirm passphrase field.
+  * Click the Save private key button and save as private_key .
   *  Right-click in the text field labeled Public key for pasting into OpenSSH authorized_keys file and choose Select All.
 {{https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018ssh/puttygen2.png}}
@@ Line 52: / Line 55: @@
   * Tap the **i** key on your keyboard & right-click your mouse to paste.
   * To save, tap the following keys on your keyboard (in this order): **Esc, :wq** Enter.
+  * Log out from the server.
 === Create a PuTTY Profile to Save Your Server’s Settings ===
@@ Line 93: / Line 97: @@
   * You will get some QR code output like bellow:
 {{https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018ssh/qr.png}}
+If you can't see the full QR code in your putty screen, use the google url given, on your browser.
 You will be prompted for some configurations.
@@ Line 99: / Line 105: @@
   * Next it will ask several questions; unless you have a good reason to, Just enter "y" for them.
 <code>
-Do you want me to update your "/home/fakrul/.google_authenticator" file (y/n)
+Do you want me to update your "/home/thilina/.google_authenticator" file? (y/n) y
 Do you want to disallow multiple uses of the same authentication
 token? This restricts you to one login about every 30s, but it increases
-your chances to notice or even prevent man-in-the-middle attacks (y/n)
+your chances to notice or even prevent man-in-the-middle attacks (y/n) y
-By default, tokens are good for 30 seconds and in order to compensate for
-possible time-skew between the client and the server, we allow an extra
+By default, a new token is generated every 30 seconds by the mobile app.
-token before and after the current time. If you experience problems with poor
+In order to compensate for possible time-skew between the client and the server,
-time synchronization, you can increase the window from its default
+we allow an extra token before and after the current time. This allows for a
-size of 1:30min to about 4min. Do you want to do so (y/n)
+time skew of up to 30 seconds between authentication server and client. If you
+experience problems with poor time synchronization, you can increase the window
+from its default size of 3 permitted codes (one previous code, the current
+code, the next code) to 17 permitted codes (the 8 previous codes, the current
+code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
+between client and server.
+Do you want to do so? (y/n) y
 If the computer that you are logging into isn't hardened against brute-force
 login attempts, you can enable rate-limiting for the authentication module.
 By default, this limits attackers to no more than 3 login attempts every 30s.
-Do you want to enable rate-limiting (y/n)
+Do you want to enable rate-limiting? (y/n) y
 </code>
 === Enable two factor authentication for SSH ===
-  * Edit the /etc/pam.d/sshd file
+  * Edit the /etc/pam.d/common-session file
 <code>
-sudo vi /etc/pam.d/sshd
+sudo vi /etc/pam.d/common-session
 </code>
-  * Add the following line:
+  * Add the following line at the end:
 <code>
-auth required pam_google_authenticator.so
+auth required pam_google_authenticator.so nullok
 </code>
   * **:wq** Save and quit.
@@ Line 132: / Line 147: @@
 ChallengeResponseAuthentication yes
 </code>
+  * Add following to the end.
+<code>
+AuthenticationMethods publickey,keyboard-interactive
+</code>
   * **:wq** Save and quit.
   * Now you need to reload the ssh service. You can do it to way: