SSH

Generate ssh keys on linux and use with PuTTY on Windows

Log into the Linux server as the user you are going to use to connect with ssh. Generate the key.

ssh-keygen -t rsa -b 4096 -C "email@domain.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:3/dDa9R+zzDpGNt/EU9Jusj/snbKt3+B8F+ULnxXtWk email@domain.com
The key's randomart image is:
+---[RSA 4096]----+
|                 |
|               ..|
|              o *|
|           . . E+|
|        S . = =o=|
|         . + * O=|
|          . + @.*|
|            .@ %=|
|            ++@+#|
+----[SHA256]-----+

Now copy the id_rsa key to your Windows desktop. This can be done by copying and pasting the contents of the file or using an SCP client such as PSCP which is supplied with the PuTTY install or FileZilla.

Read moreGenerate ssh keys on linux and use with PuTTY on Windows

How To Create SSH Keys With PuTTY to Connect to CentOS7

Generating OpenSSH-compatible Keys for Use with PuTTY

To generate a set of RSA keys with PuTTYgen:

  1. Start the PuTTYgen utility, by double-clicking on its .exe file;
  2. For Type of key to generate, select RSA;
  3. In the Number of bits in a generated key field, specify either 2048 or 4096 (increasing the bits makes it harder to crack the key by brute-force methods);
  4. Click the Generate button;
  5. Move your mouse pointer around in the blank area of the Key section, below the progress bar (to generate some randomness) until the progress bar is full;
  6. A private/ public key pair has now been generated;
  7. In the Key comment field, enter any comment you’d like, to help you identify this key pair, later (e.g. your e-mail address; home; office; etc.) — the key comment is particularly useful in the event you end up creating more than one key pair;
  8. Optional: Type a passphrase in the Key passphrase field & re-type the same passphrase in the Confirm passphrase field (if you would like to use your keys for automated processes, however, you should not create a passphrase);
  9. Click the Save public key button & choose whatever filename you’d like (some users create a folder in their computer named my_keys);
  10. Click the Save private key button & choose whatever filename you’d like (you can save it in the same location as the public key, but it should be a location that only you can access and that you will NOT lose! If you lose your keys and have disabled username/password logins, you will no longer be able log in!);
  11. Right-click in the text field labeled Public key for pasting into OpenSSH authorized_keys file and choose Select All;
    Right-click again in the same text field and choose Copy.
  12. NOTE: PuTTY and OpenSSH use different formats for public SSH keys. If the SSH Key you copied starts with “—- BEGIN SSH2 PUBLIC KEY …”, it is in the wrong format. Be sure to follow the instructions carefully. Your key should start with “ssh-rsa AAAA ….”
  13. Save The Public Key On The Server

Read moreHow To Create SSH Keys With PuTTY to Connect to CentOS7

Categories SSH

Log in with an SSH private key on Linux

Using a text editor, create a file in which to store your private key. This example uses the file private_key.txt.
To edit the file in nano, type the following command


# nano deployment_key.txt

Paste the private key into the file. Be sure to include the BEGIN and END lines.

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAx9ODcgSZFhPnZmW/VGWy/bXLKFBhOoTP9k4dhcJq17ZuG9KB
...
-----END RSA PRIVATE KEY-----

Run the following command to change the file permissions to 600 to secure the key. You can also set them to 400. This step is required:


# chmod 600 deployment_key.txt

Use the key to log in to the SSH client as shown in the following example, which loads the key in file private_key.txt, and logs in as user demo,to IP 192.237.248.66:


# ssh -i private_key.txt demo@192.237.248.66

When the prompt to confirm the connection request is displayed, type yes and then press Enter.

If your SSH key requires a password, enter it when prompted to complete the connection.

Categories SSH

How can I keep my SSH sessions Alive

Here is how to keep your ssh session from freezing and how to keep ssh alive.

Edit your ssh config file. Change to the following variables

# nano /etc/ssh/sshd_config
TCPKeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 10000

Then, restart ssh

On CentOS:

# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
  • TCPKeepAlive – is there to ensure that certain firewalls don’t drop idle connections.
  • ClientAliveInterval – the server will wait 60 seconds before sending a null packet to the client to keep the connection alive.
  • ClientAliveCountMax – server will send alive messages to the client even though it has not received any message back from the client.

Using Putty Settings

  1. Start PuTTY.
  2. Load pone of your saved sessions.
  3. In the Category pane, click Connection.
  4. Look for ” Sending of null packets to keep session active”.
  5. In the Seconds between keepalives (0 to turn off), type 300. (With this configuration, PuTTY sends a packet to the server every 300 seconds -5 minutes – to keep the connection alive.
  6. In the Category pane, click Session.
  7. Click Save.
  8. Connect to your account and monitor the connection. If it still drops, gradually decrease the keepalive interval until the connection is stable.

Categories SSH

How to Secure SSH with Google Authenticator’s Two-Factor Authentication

Source: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/

Also, for CentOS: http://www.tecmint.com/ssh-two-factor-authentication/

Want to secure your SSH server with easy-to-use two-factor authentication? Google provides the necessary software to integrate Google Authenticator’s time-based one-time password (TOTP) system with your SSH server. You’ll have to enter the code from your phone when you connect.

Change OpenSSH Port CentOS

Want to change the ssh port for ssh? Here is a good tutorial.
(Note: If you are making these changes – ssh to the server and keep the terminal open as you make the changes. Test with a new terminal. This way if something is amiss – you are not locked out.)

Edit /etc/ssh/sshd_config, enter:

# vi /etc/ssh/sshd_config

Note:
The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible, but leave them commented. Uncommented options change a default value.

Uncomment the following and edit to set the port to 10221:

Port 10221

ListenAddress option

Note: If you have multiple IP address on the server, add you IP addresses.

ListenAddress as follows :

## bind sshd to two ip address on a non-standard port ##
ListenAddress 192.168.1.5:10221
ListenAddress 203.1.2.3:10221

Save and close the file.

Before you restart or reload sshd server. You need to update SELinux configuration or Firewall settings (iptables).

You also need to update firewall settings so that users can login using TCP # 10221. Edit, 

/etc/sysconfig/iptables and open sshd port 10221:
# vi /etc/sysconfig/iptables

Edit/append as follows:

 
## delete or comment out port 22 line ##
## -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
## open port 22
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10221 -j ACCEPT

Save and close the file. If you are using IPv6, edit /etc/sysconfig/ip6tables file too. Temporally, stop the firewall so that you will not loose the connectivity to the server:

# service iptables stop
# service ip6tables stop

Restart sshd on a CentOS 

# service sshd restart

Verify new port settings with the following netstat command:

# netstat -tulpn | grep sshd

Finally, start the firewall:

# service iptables start
## IPv6 ##
# service ip6tables start

Now, login with a different terminal to check the settings.

Categories SSH