Step by Step SSH install and configure

Step 1: Update repository and Install SSH

Please execute these commands in below given sequence :
  1. admin@prodserver01:/# apt-get update
  2. admin@prodserver01:/# apt-get upgrade
  3. admin@prodserver01:/# apt-get install openssh-server

You are done with installing SSH. Next is to configure SSH.

Step 2: Part 1 –Must Needed or Basic configuration to start working with SSH:

I am going to divide SSH configuration in two parts:
Part 1 : Must Needed or Basic configuration to start working with SSH:
Part 2: Advance Configuration to make SSH connection secure and easy.

 

Part 1 –

 

Lets edit sshd config file with the following command:

admin@prodserver01: vi /etc/ssh/sshd_config

 

Lets define the SSH port.For example I am going to use port  to 222. I must update the sshd_config SSH port

Port 222

Lets define max login attempts to my SSH Port . I am going to restrict user after 3 wrong login attempts. I want user SSH session should get terminated after the set number of try limits. This is very important for security of your server and this can be used for prevention from brute force attack .  Update sshd_config file:

 

MaxAuthTries 3

Lets restrict certain user to connect to my  SSH port . I am going to allow certain users only to to login on my server and deny all other users. I will add wasadmin only to connect to prodserver01 Unix server. Add the following line at the end of the file and after that save the file /etc/ssh/sshd_config.

AllowUsers wasadmin prodserver01

 

Lets Restart SSH service with the following command:

admin@prodserver01:/# service ssh restart

 

 

 

Step 3: Part 2 –Advance Configuration to make SSH connection secure and easy

Part 2 –

 

I am  going to configure SSH Key-Based Authentication on my Server

According to me, key-Based Authentication is better way to protect our servers from unauthorized access. Unfortunately this is not the very convenient ways of doing, because I will have to bring the key with me.

 

Step 1: Create .ssh folder, change it's permission :

admin@prodserver01:/# mkdir .ssh/; chmod 700 .ssh/; cd .ssh/;
Step 2 :  Create a file , change permission :
admin@prodserver01:/.ssh# touch authorized_keys; chmod 600 authorized_keys

Step 3 – Generate Keys – If you ‘Enter passphrase’ you must remember it and use it in the following steps:

admin@prodserver01:ssh-keygen -t rsa

( just keep pressing enter , if you do no want to use passphrase )

In present directory, you will see two new files got created.
  • id_rsa.pub  --> This is your public key. That means, having this key on any other servers like ( prodserver02,prodserver03 etc ), you can connect to that server from your current host (prodserver01 ).
  • id_rsa - Private Key

 

Note :

They're a key pair: id_rsa is your private key -- it should be kept secret, so that only you can use it; and id_rsa.pub is your public key -- you give it out so that others can verify that a given signature came from your private key. Your private key is used to sign things, and your public key is used to verify your signature.

In terms of authorized_keys and ssh, they're used like this:

1. Whoever owns the box appends the contents of your public key (id_rsa.pub) to ~/.ssh/authorized keys. This tells ssh, "if you get a request that is signed by the private key corresponding to this public key, let that request log in without a password".
2. You then initiate an ssh connection to that machine as the user whose authorized_keys contains your public key. You won't be prompted for a password, because your request will be automatically signed using your private key. ssh uses your public key to verify that the signature is valid, and allows you to log in.

Step 4 – Append the public key just generated to authorized_keys file that we created above.

admin@prodserver01:/.ssh# cat id_rsa.pub >> authorized_keys

Step 5 – Edit the ssh server config file with vi /etc/ssh/sshd_config to make sure that public key authentication is enabled (it should be enabled by default):

admin@prodserver01:vi /etc/ssh/sshd_config

Step 6 – These entries must be set to YES.

RSAAuthentication yes
PubkeyAuthentication yes

Step 7 – The following settings should be set to NO:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Step 9 – Restart ssh service with the following command:

admin@prodserver01: service ssh restart

Step 10 – Now we must get private key code.

admin@prodserver01: vi /root/.ssh/id_rsa

Step 11 – Paste in notepad and save without extension

Step 12 – When you connect to your server you must browse your ‘id_rsa.ppk’ file in putty.

You are all set to start using password less ssh.
Please comment, if you are not able to follow the steps or if the steps are not correct.