server-security-wiki/secure-ssh.md

1.2 KiB

Secure SSH

Disable root

Edit /etc/ssh/sshd_config and set PermitRootLogin no or if you really need root access, e.g. for backups set PermitRootLogin forced-commands-only.

Use Public Key Authentication

Create a new key pair on your client:

ssh-keygen -t ed25519 -a 100

Remember the path and password you choosed. Append the created public key from /<your-path>/<key-name>.pub on your client in the /home/<user>/.ssh/authorized_keys on your server. Alternatively you can use the command ssh-copy-id on your local client. For this command you can do the following:

ssh-copy-id -i /<your-path>/<key-name>.pub user@host

Now edit /etc/ssh/sshd_config on your server and set the following values:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

PasswordAuthentication no

If you changed the path you can add the following to your ~/.ssh/config file on your client:

Host <your-host-or-ip>
        User <the-server-username> # optional
        IdentityFile /<your-path>/<key-name>
        IdentitiesOnly yes # useful if you have problems when trying to login

Apply Changes

To apply changes you made in the ssh config simply run systemctl restart ssh.service or service ssh restart.