Ben the DBA

Ben the DBA

About Me Portfolio Blog Contact

SSH Configuration and Security

SSH (Secure Shell) is a cryptographic network protocol that enables secure system administration and file transfers over unsecured networks. This guide covers essential configurations and security best practices for both client and server sides.

1. SSH Client Configuration

The first step in setting up SSH is generating your authentication keys. SSH supports several key types, with ED25519 and RSA being the most commonly used. 


#Key Generation
ssh-keygen -t ed25519 -C "comment"
ssh-keygen -t rsa -b 4096 -C "comment"

#Copy Public Key
ssh-copy-id user@server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server

ED25519 keys are recommended for modern systems as they provide strong security with better performance. However, RSA keys (minimum 4096 bits) remain a solid choice for broader compatibility.

2. Server Configuration

Proper server configuration is crucial for security. The main configuration file is located at /etc/ssh/sshd_config. Here are essential security settings: /etc/ssh/sshd_config 


PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers user1 user2
Port 22

#Apply changes
systemctl restart sshd

These settings disable root login, require key-based authentication, and limit SSH access to specific users. Remember to restart the SSH service after making changes.

3. SSH Connections

SSH provides various connection methods. Basic connections only require the username and server address, while advanced options allow for specific ports and identity files. 


#Basic Connection
ssh user@server
ssh -p 2222 user@server

#With Specific Key
ssh -i ~/.ssh/key user@server

#Remote Command
ssh user@server 'ls -la'

The ability to execute remote commands makes SSH ideal for automation and scripting tasks.

4. SSH Tunneling

SSH tunneling creates secure channels for forwarding traffic. This is useful for accessing services securely or bypassing network restrictions. 


#Local forwarding (-L)
ssh -L 8080:localhost:80 user@server

#Remote forwarding (-R)
ssh -R 8080:localhost:80 user@server

#Dynamic forwarding (-D)
ssh -D 9090 user@server

Local forwarding is commonly used to access remote services securely, while remote forwarding enables access to local services from remote locations.

5. ~/.ssh/config Configuration

The SSH config file simplifies connection management by storing common configurations: 


Host server1
    HostName 192.168.1.100
    User admin
    Port 2222
    IdentityFile ~/.ssh/server1_key

This configuration allows you to simply type 'ssh server1' instead of the full connection string.

6. Security and Permissions

Correct file permissions are critical for SSH security. SSH will refuse to work if permissions are too permissive. 


chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 600 ~/.ssh/config

#Verification
ls -la ~/.ssh/

The SSH directory and private keys must be readable only by the owner.

Critical Points

TOC

1. SSH Client Configuration
2. Server Configuration
3. SSH Connections
4. SSH Tunneling
5. ~/.ssh/config Configuration
6. Security and Permissions
Critical Points