====== SSH Config ======
===== links =====
* [[https://en.wikibooks.org/wiki/OpenSSH]]
===== Generar claves ssh en servidor y cliente =====
julian $ ssh-keygen -t ed25519 -b 4096 -o -a 1000 -C "julian" -f rpi
julian $ ssh-copy-id -i ~/.ssh/rpi.pub pi@raspberrypi
julian $ chmod 600 ~/.ssh/rpi.pub
===== ~/.ssh/config =====
Host [vps]
HostName [host]
user [user]
IdentityFile ~/.ssh/[file]
ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p # use TOR
Compression yes
ConnectTimeout 300
* Then
* ''ssh-copy-id -i .ssh/[file] [vps]''
===== Conectarse por tĂșnel ssh =====
* ''%%ssh -L 54321:127.0.0.1:5432 -N %%''
===== SSHd securization =====
Cool, now we are on the server. First thing to do is to disable password login via SSH.
**/etc/ssh/sshd_config** find ''#PasswordAuthentication yes'' and change it for ''PasswordAuthentication no''
Then, let's create a new user (in case you are loging in as root).
useradd -G sudo -s /bin/bash -m [user]
passwd [user]
In order to be able to log in directly with this user via ssh, we should copy our public key to its own **~/.ssh/authorized_keys** file. We can copy the one from the root user and change its permissions.
mkdir /home/[user]/.ssh
cp /root/.ssh/authorized_keys /home/[user]/.ssh/
chown -R [user]: /home/[user]/.ssh # [user]: will make [user] the owner and : will make [user]'s default group the folder's owner group user:user in stead of user:root (group not changed)
Now you should try loging in with this user (modify local **~/.ssh/config** if necessary). If all goes right, you can now disable SSH root login.
**/etc/ssh/sshd_config** find ''PermitRootLogin yes'' and change it to ''PermitRootLogin no''
For now on, you shold connect via ssh with a regular user using keypairs in stead of plain text passwords, and then login as root with ''sudo su -''. This adds a layer of protection against 0-days, bots, script kiddies... ;-)
**Bonus:** you should definetly take a look at [[http://www.cipherdyne.org/fwknop/|fwknop]].
**Bonus 2:** /etc/passwd -> /usr/sbin/nologin