knowledge base


ssh-keygen
ssh-keygen -b 4096
Generating public/private rsa key pair. Enter file in which to save the key (/home/verwalter/.ssh/id_rsa): Created directory '/home/verwalter/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/verwalter/.ssh/id_rsa. Your public key has been saved in /home/verwalter/.ssh/id_rsa.pub. The key fingerprint is: SHA256:Ess8dRlwd3NE8wfBMO1ry0KCfgv7s0FUjHehs3p1Yi4 verwalter@lxserver The key's randomart image is: +---[RSA 4096]----+ | ..oo=+**+| | ..=o+++o| | . . +.oo o| | o + o o. .| | * S.. . +..| | o.....+oo | | .. ooEo.. | | .ooo..o | | .o++ . | +----[SHA256]-----+
cat /home/verwalter/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,2AA0C21B6FCFB501C5347DA7152118FB EPZDx3dLFBr8Tou6BHwJlgYQx0mRSS+zyWVrtE8f73XX3LD7vVArP8HBPCqYZj5g rdMnamSjhoZRZjfpo5fbu1Z37LWYd41mZ1H5FIOdVS5R5KBOryjFrCrLv9poZEwj . . HNP3ezUBzJRItFr9zzYmPR8A3s9wv43Wj/UKOQAEDAb/uKDPbC7N275Pp26MvNBj IRQHiNvqdr/L2mIHQ1S/BMJNoNj82+PoVDGeq6k7KcCoGFn2MI5G4LoTXL54bM9P -----END RSA PRIVATE KEY-----
ll /home/verwalter/.ssh/
insgesamt 16 drwx------ 2 verwalter verwalter 4096 Jan 21 20:42 ./ drwxr-xr-x 5 verwalter verwalter 4096 Jan 21 20:42 ../ -rw------- 1 verwalter verwalter 3326 Jan 21 20:42 id_rsa -rw-r--r-- 1 verwalter verwalter 743 Jan 21 20:42 id_rsa.pub
ssh-copy-id -i /home/verwalter/.ssh/key_rsa.pub id_rsa.pub verwalter@192.168.0.236555
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub" The authenticity of host '192.168.0.235 (192.168.0.235)' can't be established. ECDSA key fingerprint is SHA256:KjhD+jq...................ros9+oEtb0. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys verwalter@192.168.0.235's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'verwalter@192.168.0.235'" and check to make sure that only the key(s) you wanted were added.
lsssh-copy-id -i id_rsa.pub verwalter@192.168.0.235 -i ssh verwalter@192.168.0.235
Enter passphrase for key 'id_rsa': Welcome to Ubuntu 17.10 (GNU/Linux 4.13.0-21-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage * Ubuntu Updates for the Meltdown / Spectre Vulnerabilities - https://ubu.one/uMelt 7 Software-Pakete können aktualisiert werden. 7 Aktualisierungen sind Sicherheitsaktualisierungen.
Ändere die folgenden Einstellungen in der /etc/ssh/sshd_config
LoginGraceTime 2m PermitRootLogin no MaxAuthTries 1 PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys Banner /etc/ssh/banner service sshd restart
cat /etc/ssh/sshd_config
#$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # Expect .ssh/authorized_keys2 to be disregarded by default in future. #AuthorizedKeysFile.ssh/authorized_keys .ssh/authorized_keys2 #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes AllowAgentForwarding yes AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes X11DisplayOffset 10 #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no PermitTunnel yes #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Allow client to pass locale environment variables AcceptEnv LANG LC_* # override default of no subsystems Subsystemsftp/usr/lib/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs #X11Forwarding no X11Forwarding yes #AllowTcpForwarding no #PermitTTY no #ForceCommand cvs server PasswordAuthentication yes