server-security-wiki/secure-ssh.md

# Secure SSH

## Disable root

Edit `/etc/ssh/sshd_config` and set `PermitRootLogin no` or if you really need root access, e.g. for backups set `PermitRootLogin forced-commands-only`.

## Use Public Key Authentication

Create a new key pair on your client:

```
ssh-keygen -t ed25519 -a 100
```

Remember the path and password you choosed. Append the created public key from `/<your-path>/<key-name>.pub` on your client in the `/home/<user>/.ssh/authorized_keys` on your server. Alternatively you can use the command `ssh-copy-id` on your local client. For this command you can do the following:

```bash
ssh-copy-id -i /<your-path>/<key-name>.pub user@host
```

Now edit `/etc/ssh/sshd_config` on your server and set the following values:

```
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

PasswordAuthentication no
```

If you changed the path you can add the following to your `~/.ssh/config` file on your client:

```
Host <your-host-or-ip>
        User <the-server-username> # optional
        IdentityFile /<your-path>/<key-name>
        IdentitiesOnly yes # useful if you have problems when trying to login
```

## Apply Changes

To apply changes you made in the ssh config simply run `systemctl restart ssh.service` or `service ssh restart`.
Add 'secure-ssh.md' 2021-02-20 13:07:27 +00:00			`# Secure SSH`

			`## Disable root`

			Edit `/etc/ssh/sshd_config` and set `PermitRootLogin no` or if you really need root access, e.g. for backups set `PermitRootLogin forced-commands-only`.

			`## Use Public Key Authentication`

			`Create a new key pair on your client:`

			```
Update 'secure-ssh.md' 2023-07-15 00:16:24 +00:00			`ssh-keygen -t ed25519 -a 100`
Add 'secure-ssh.md' 2021-02-20 13:07:27 +00:00			```

Added ssh-copy-id as an alternative ssh-copy-id can be used to copy keys from the local client to the remote server 2021-02-20 21:33:07 +00:00			Remember the path and password you choosed. Append the created public key from `/<your-path>/<key-name>.pub` on your client in the `/home/<user>/.ssh/authorized_keys` on your server. Alternatively you can use the command `ssh-copy-id` on your local client. For this command you can do the following:

			```bash
			`ssh-copy-id -i /<your-path>/<key-name>.pub user@host`
			```
Update 'secure-ssh.md' 2021-02-20 13:11:39 +00:00
			Now edit `/etc/ssh/sshd_config` on your server and set the following values:

			```
			`PubkeyAuthentication yes`
			`AuthorizedKeysFile .ssh/authorized_keys`

			`PasswordAuthentication no`
			```
Add 'secure-ssh.md' 2021-02-20 13:07:27 +00:00
			If you changed the path you can add the following to your `~/.ssh/config` file on your client:

			```
			`Host <your-host-or-ip>`
			`User <the-server-username> # optional`
			`IdentityFile /<your-path>/<key-name>`
Update 'secure-ssh.md' 2021-02-20 18:25:43 +00:00			`IdentitiesOnly yes # useful if you have problems when trying to login`
Add 'secure-ssh.md' 2021-02-20 13:07:27 +00:00			```

Update 'secure-ssh.md' 2021-02-20 13:11:39 +00:00			`## Apply Changes`
Add 'secure-ssh.md' 2021-02-20 13:07:27 +00:00
Added ssh-copy-id as an alternative ssh-copy-id can be used to copy keys from the local client to the remote server 2021-02-20 21:33:07 +00:00			To apply changes you made in the ssh config simply run `systemctl restart ssh.service` or `service ssh restart`.