I will describe here how to setup ssh server to be able to establish secure connection to Linux Server. There is also step by step instructions with some explanations. То же самое по русски
In my post “What is ssh/sftp, what is it for?” I wrote how to prepare the ssh client to control Linux server, generate keys and get authorized_keys2 file on a USB drive.
How to setup ssh server for Linix
1. It is necessary to transfer authorized_keys2 file to the server using sftp (Fig. 1). How to use sftp in order to secure transfer files I wrote in posts “sftp client. Brief description.” (Linux and OSX), “PSFTP – SFTP PuTTY client for Windows” and “SSH client for Windows Bitvise Tunnelier“. Let’s suppose, Linux Server IP address is 192.168.22.4 and the user name is admin.
One have to enter the root password on request and after getting
Connected to 192.168.22.4
and after the file transfer is complete, type
2. Guess a good password for the user admin (I wrote about good password here).
3. Log in to the server via ssh client as user root (Unfortunately, this is allowed in Linux distributions with the default settings).
type the root password upon request, and if password is OK, You should get:
Last login: Mon Nov 4 10:46:38 2016 from 192.168.14.6
Now You are superuser on this server
4. Create user admin and set it’s password. If you do not like the user name admin, you can choose any other user name and everywhere you have to replace admin with the selected name.
[root@www ~]# useradd admin
[root@www ~]# passwd admin
and twice type user’s admin password
Changing password for user admin.
Retype new password:
passwd: all authentication tokens updated successfully.
5. Go to the admin user home directory, create the .ssh folder, transfer there authorized_keys2 file and set the necessary access rights (Fig. 2)
chmod 0700 .ssh
mv /root/authorized_keys2 .ssh/
chown -R admin.admin .ssh
6. Then, using editor vi one have to change ssh server configuration file. How to use the vi editor described in the post “Editor vi. Short manual“.
delete the old configuration file
rm: remove regular file `/etc/ssh/sshd_config’? y
confirm file deletion (press «y») and create a new one
Then, in the opened vi editor’s window type command «i» (insert), copy the entire configuration file below and paste it into the vi editor’s window.
# This is ssh server systemwide configuration file.
# Uncomment if you want to enable sftp
Subsystem sftp /usr/libexec/openssh/sftp-server
You should see the exact text, like this one. If so, then to exit insert mode it is necessary to press the «esc» and then, the sequence «:wq» to save the file and exit the editor (Figure 3.).
What it will give us:
Firstly, we have disabled ssh secure login by entering the password – now to login via ssh user must have the secret key in the client’s computer and to know its password, an correspondent open (public) key should be in authorized_keys2 file on the server. This is only way to establish secure ssh connection to the server. This is significantly reduces the risk of cracking password by brute force attaсk. (You can see such attempts in the logs of your server).
Secondly, we have disabled login for user root via ssh connection at all. To become superuser root, logged in user have also to know user root password for su (sudo) command.
Thirdly, the login to the server is allowed only to the user with the name admin and all other user names will be rejected. (I think, that to change user name admin to something else, which no one knows is a good idea).
7. Restart the ssh server:
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
8. Now it is time to check:
type password of the ssh key and one should receive as in the Fig. 4
Last login: Tue Jan 28 22:46:48 2017 from 192.168.14.6
Then, if you have successfully logged in to the server (that should be), it’s done.
That is, we got to our Linux server as an admin user to the folder /home/admin or ~.
9. Due to security restrictions, secure SSH connection to the server is allowed only for users who do not have root privileges, and if one wants to execute commands as root or became superuser root, it is necessary to use sudo or su commands (Fig. 4).
You can also try to log into using ssh secure connection as root directly. And You should be rejected.
So, followed instructions above, we have successfully set up ssh server to establish secure connection and install application services, which we need.
I have described here how to setup ssh server to be able to establish secure connection to Linux Server. There is also step by step instructions with some explanations.