Thousands of people get connected to a remote computer over the Internet every second, most of them do it in a insecure way. Some people get connected via Telnet, VNC, FTP, etc but all of this protocols are insecure. This means every single package travels all around Internet without any type of encryption. So anybody sitting in between you and the remote computer you are trying to connect, will be able to see, read and even modify the data! Lucky us, there is a HUGE solution for this problem, this is SSH! I recommend you read the following book: SSH, The Secure Shell: The Definitive Guide to get more insides about SSH.
SSH is the successor of Telnet. SSH brings security to remote connections with the use of encryption. Every single package sent/received to/from the remote computer will be encrypted! So if anybody sitting in between your connection, will be able to see the packages, but he will NOT be able to understand them!!
With the use of SSH you can tunnel all your traffic from different protocols through SSH. So now you can upload anything with SFTP (FTP tunnelled through SSH). Even your VNC can be tunnelled through SSH!
The only disadvantage of implementing SSH is that if you configured it wrong, then you won’t have any more access to your machine and/or even worst, you will have a big hole for potential hackers!! Most probably you don’t want that!
So let’s start installing our secure SSH server in any Debian/Ubuntu based distro!!!
First let’s update our programs data-base so that we can be sure we will download the latest stable version from the repository.
sudo apt-get update
Searching for the package!
Now we have to search for the correct package of openSSH (this is the server we will use). For more info about OpenSSH click here. OpenSSH is the most used SSH server in the whole world. So.. our code:
apt-cache search openssh
that will give you an output similar like this (cut some lines because of the long list):
libssl0.9.8 – SSL shared libraries
openssh-blacklist – list of default blacklisted OpenSSH RSA and DSA keys
openssh-blacklist-extra – list of non-default blacklisted OpenSSH RSA and DSA keys
openssh-client – secure shell (SSH) client, for secure access to remote machines
openssh-server – secure shell (SSH) server, for secure access from remote machines
seahorse-plugins – seahorse plugins and utilities for encryption in GNOME
ssh – secure shell client and server (metapackage)
ssh-askpass-gnome – interactive X program to prompt users for a passphrase for ssh-add
From the output of our search, we see that there is a packaged called: “openssh-server – secure shell (SSH) server, for secure access from remote machines” That is the packaged we are looking for. It may be different called in other distros, but it should say something similar!! So let’s install it:
sudo apt-get install openssh-server
if it was correct installed, you will read in the last line:
ssh start/running, process 1084
The number 1084 will be most probably another one, so don’t worry about it!
If you read some lines above the last line, you will read that the RSA, DSA and ECDSA keys where already created! you can see them in the folder “/etc/ssh”. We will talk later in another post what are this keys about.
Check if installed!
Let’s check if the server was installed and if it’s indeed running!
ps aux |grep ssh
that will give us something like:
root 2060 0.0 0.0 5016 1420 ? Ss 10:53 0:00 /usr/sbin/sshd -D
if so, then our server is running!
To double check, connect from another computer in your network doing:
where user is the user you use normally to log in and ip the ip of the server.
Configuration of server!
This is THE MOST IMPORTANT PART!! If you set wrong parameters or you play with variables you don’t know what they are about, then most probably either you won’t be able to connect to the server or in worst case EVERYBODY will be able to connect to your server!
The config file is in “/etc/ssh/ so lets edit it!
Normally I prefer using NANO editor. In most cases nano editor is intalled. If not, then use the VI editor.
sudo nano /etc/ssh/sshd_config
please don’t forget to put the “d” after ssh. It’s not a typo, the “d” means “daemon” and that means that is the config file for the server or “deamon”. Without a “d” is for the client config file!
So, let’s start searching for the line that says:
and change it to
now search for:
RSAAuthentication no PubkeyAuthentication no
and change it to
RSAAuthentication yes PubkeyAuthentication yes
Now the server is configured so that you can access ONLY with a SSH KEY!!! We are missing two last things. First create an ssh key and tell the server, where the ssh key will be.
For creating the ssh key, please see this post.
For telling the server where to look for the ssh key pair:
add or search (and uncomment):
The %h means “Home directory” of the user.
Now copy your public key in %h/.ssh/authorized_keys and restart the server with:
sudo /etc/init.d/ssh restart
Try now accessing your server from another computer in the network by writing:
ssh -i key user@ip
The -i is for specifying the path of your private key, then user is the user and ip the ip of the server.
Now we have a configured and secure SSH server!! If you are interested in reading more about SSH I do recommend you this book: SSH, The Secure Shell: The Definitive Guide