lknog3:netops:ssh
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
lknog3:netops:ssh [2019/10/01 18:53] – [Secure SHell (SSL)] lknog_admin | lknog3:netops:ssh [2023/01/31 14:21] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 9: | Line 9: | ||
* Click open. | * Click open. | ||
- | * It will ask for username followed by password. | + | * When you are log in to a server for the first time putty will ask you to confirm crypto signature of the server. For the added security the signature by clicking **Yes** |
- | * Logout/close this session. | + | {{: |
+ | * Then It will ask for username followed by password. | ||
+ | * **logout** to close this session. | ||
==== Public Key Authentication ==== | ==== Public Key Authentication ==== | ||
Line 18: | Line 20: | ||
* Start the PuTTYgen utility, by double-clicking on its .exe file. | * Start the PuTTYgen utility, by double-clicking on its .exe file. | ||
- | * For Type of key to generate, select | + | * For Type of key to generate, select |
* In the Number of bits in a generated key field, specify either 2048 or 4096 (increasing the bits makes it harder to crack the key by brute-force methods). | * In the Number of bits in a generated key field, specify either 2048 or 4096 (increasing the bits makes it harder to crack the key by brute-force methods). | ||
* Click the Generate button. | * Click the Generate button. | ||
Line 28: | Line 30: | ||
* A private/ public key pair has now been generated. | * A private/ public key pair has now been generated. | ||
* In the Key comment field, enter your email address. | * In the Key comment field, enter your email address. | ||
- | * The Key passphrase field & re-type the same passphrase in the Confirm passphrase field.9. Click the Save private key button and save as private_key . | + | * The Key passphrase field & re-type the same passphrase in the Confirm passphrase field. |
+ | * Click the Save private key button and save as private_key . | ||
* Right-click in the text field labeled Public key for pasting into OpenSSH authorized_keys file and choose Select All. | * Right-click in the text field labeled Public key for pasting into OpenSSH authorized_keys file and choose Select All. | ||
{{https:// | {{https:// | ||
Line 52: | Line 55: | ||
* Tap the **i** key on your keyboard & right-click your mouse to paste. | * Tap the **i** key on your keyboard & right-click your mouse to paste. | ||
* To save, tap the following keys on your keyboard (in this order): **Esc, :wq** Enter. | * To save, tap the following keys on your keyboard (in this order): **Esc, :wq** Enter. | ||
+ | * Log out from the server. | ||
=== Create a PuTTY Profile to Save Your Server’s Settings === | === Create a PuTTY Profile to Save Your Server’s Settings === | ||
Line 93: | Line 97: | ||
* You will get some QR code output like bellow: | * You will get some QR code output like bellow: | ||
{{https:// | {{https:// | ||
+ | |||
+ | If you can't see the full QR code in your putty screen, use the google url given, on your browser. | ||
You will be prompted for some configurations. | You will be prompted for some configurations. | ||
Line 99: | Line 105: | ||
* Next it will ask several questions; unless you have a good reason to, Just enter " | * Next it will ask several questions; unless you have a good reason to, Just enter " | ||
< | < | ||
- | Do you want me to update your "/ | + | Do you want me to update your "/ |
Do you want to disallow multiple uses of the same authentication | Do you want to disallow multiple uses of the same authentication | ||
token? This restricts you to one login about every 30s, but it increases | token? This restricts you to one login about every 30s, but it increases | ||
- | your chances to notice or even prevent man-in-the-middle attacks (y/n) | + | your chances to notice or even prevent man-in-the-middle attacks (y/n) y |
- | By default, | + | |
- | possible time-skew between the client and the server, we allow an extra | + | By default, |
- | token before and after the current time. If you experience problems with poor | + | In order to compensate for possible time-skew between the client and the server, |
- | time synchronization, | + | we allow an extra token before and after the current time. This allows for a |
- | size of 1: | + | time skew of up to 30 seconds between authentication server and client. If you |
+ | experience problems with poor time synchronization, | ||
+ | from its default size of 3 permitted codes (one previous code, the current | ||
+ | code, the next code) to 17 permitted codes (the 8 previous codes, the current | ||
+ | code, and the 8 next codes). This will permit for a time skew of up to 4 minutes | ||
+ | between client and server. | ||
+ | Do you want to do so? (y/n) y | ||
If the computer that you are logging into isn't hardened against brute-force | If the computer that you are logging into isn't hardened against brute-force | ||
login attempts, you can enable rate-limiting for the authentication module. | login attempts, you can enable rate-limiting for the authentication module. | ||
By default, this limits attackers to no more than 3 login attempts every 30s. | By default, this limits attackers to no more than 3 login attempts every 30s. | ||
- | Do you want to enable rate-limiting (y/n) | + | Do you want to enable rate-limiting? (y/n) y |
</ | </ | ||
=== Enable two factor authentication for SSH === | === Enable two factor authentication for SSH === | ||
- | * Edit the /etc/pam.d/sshd file | + | * Edit the /etc/pam.d/common-session |
< | < | ||
- | sudo vi /etc/pam.d/sshd | + | sudo vi /etc/pam.d/common-session |
</ | </ | ||
- | * Add the following line: | + | * Add the following line at the end: |
< | < | ||
- | auth required pam_google_authenticator.so | + | auth required pam_google_authenticator.so |
</ | </ | ||
* **:wq** Save and quit. | * **:wq** Save and quit. | ||
Line 132: | Line 147: | ||
ChallengeResponseAuthentication yes | ChallengeResponseAuthentication yes | ||
</ | </ | ||
+ | * Add following to the end. | ||
+ | < | ||
+ | AuthenticationMethods publickey, | ||
+ | </ | ||
* **:wq** Save and quit. | * **:wq** Save and quit. | ||
* Now you need to reload the ssh service. You can do it to way: | * Now you need to reload the ssh service. You can do it to way: |
lknog3/netops/ssh.1569956010.txt.gz · Last modified: 2023/01/31 14:21 (external edit)