(dv):Secure SSH access

  • This page was last modified on December 15, 2010, at 14:12.
The (mt) Community Wiki is a collaborative project. Any (mt) Media Temple customer or employee may contribute. Not all articles and/or content have been tested for accuracy by (mt) Media Temple.

For officially moderated and tested articles, be sure to visit our KnowledgeBase.

From (mt) Community Wiki

Contents

Using SSH Keys

SSH keys should only be used on a computer that is not shared, or one that has multiple logins or accounts. If you share your computer with others under the same username you should NOT follow the steps outlined in this article.

Generating your key

The first step we need to take is generating a key on your local computer using strong encryption: 

ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -C "Enter an optional comment about your key?"

You should receive a prompt asking for a password. Please use a strong password. If you plan on using your key for automated tasks that don't require interaction, such as rsync, you might want to leave this blank. Once you have entered your password twice make sure you have the permissions set properly for your .ssh directory and your newly created ssh files on your local computer using the following commands: 

chmod 700 ~/.ssh
chmod 600 ~/.ssh/*

Installing your key

Your public key now needs to be uploaded to your server. The code below reads the content of your key, creates your ssh directory on your (ve), and creates a new file called 'authorized_keys' with the same information. 

 cat ~/.ssh/id_rsa.pub | ssh user@ve.example.com 'mkdir ~/.ssh;cat - >> ~/.ssh/authorized_keys'

We should also change the permissions for the ssh directory and files as we did up above. On your (ve) run the same commands: 

chmod 700 ~/.ssh
chmod 600 ~/.ssh/*

Changing default SSH Port

By default SSH uses the standard port 22 for all connections. To help prevent malicious automated attacks on this port it is best to use a non-standard port for. Please note that you will have to use the '-p' flag with the ssh command to specify the port you choose.

  • SSH into your server as 'jsmith'
  • Open the /etc/ssh/sshd_config file using your editor of choice. We will use vi. 
sudo vi /etc/ssh/sshd_config

Change the line that says 'Port 22' to use a different port. In the example we will use 4791. Please make sure to choose a port higher than 1024 to prevent conflicts with reserved port numbers:

/etc/ssh/sshd_config 
...
# What ports, IPs and protocols we listen for
Port 4791
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
...
  • Save the file and make sure to restart the SSH server: 
sudo /etc/rc.d/init.d/sshd restart
Retrieved from "http://wiki.mediatemple.net/w/(dv):Secure_SSH_access"