SSH. SSH Key-Based Authentication. MOTD. Run GUI apps remotely. Two-factor authentication

SSH (Secure Shell) is a widely used secured network protocol to access remote computers in a network.

• OpenSSH server is the best connectivity tool for remote login with the SSH protocol.

1. Let’s install it (Ubuntu, Debian): sudo apt install openssh-server.

   Enable SSH in a Raspberry Pi. It allows you access the command line of a Raspberry Pi remotely from another computer or device on the same network: sudo raspi-config, Interface Options, SSH.

   raspi-config helps you to configure your Raspberry Pi. It enables you to configure various settings of your Raspbian PI, such as the keyboard layout, the timezone, the password for the pi user, the SSH access, etc.

2. Display the IP addresses assigned to all interfaces: ip address show. If you don’t know your Raspberry Pi’s IP address, open a Terminal window and type: hostname -I.

3. If you want to connect to your server, you can use Putty (Windows) or need to invoke the ssh command followed by your username, the arroba @, and the IP address in the following format:

   ssh myUserName@myIpAddress
   
   # You may want to create an alias in your .bashrc: 
   alias sshServer = 'ssh myUserName@myIpAddress'
   

4. You may want to change the default behavior of the OpenSSH server application by editing the file sudo vi /etc/ssh/sshd_config. man sshd_config is the man’s page about the OpenSSH daemon configuration file.

       Port 2134 # By default the sshd daemon listens on port 22. We can change the port used by the server.
       PermitRootLogin no # It does not allow the root user to login directly.
       Banner /etc/issue.net # It displays a banner or message (it specifies the file containing this message) when a user tries to authenticate cto our server
       PasswordAuthentication no # It disables authentication by password. It only allows login by public keys.
   

5. Then, you should check or test the validity of your configuration file, sudo sshd -t -f /etc/ssh/sshd_config and restart the daemon sudo systemctl restart sshd.service

6. Troubleshooting: Is ssh running? sudo systemctl status ssh.

7. If the firewall is enabled on your system, you need to open up the SSH port: sudo ufw allow ssh

8. To start the sshd service: sudo systemctl start sshd.service. To enable and start sshd at boot time: sudo systemctl enable sshd.service.

• SSH Key-Based Authentication.

1. Generate an SSH key pair on the client (your local computer): ssh-keygen. By default, the keys will be stored in the ~/.ssh directory, the private key will be called id_rsa and the associated public key will be called id_rsa.pub.

2. Next, copy the public key to the SSH server:

     ssh-copy-id -i ~/.ssh/id_rsa.pub userName@ServerIPAddress
   

   It uses a locally available public key to authorize logins on a remote machine. ssh_copy uses ssh to log into a remote machine and adds the local computer’s public key to the remote server’s ~/.ssh/authorized_keys, e.g., cat .ssh/authorized_keys:

   ssh-rsa CSDAAAB3NzaC1yc……asdSRTXmRQ.== myName@gmail.com

3. Import SSH keys to a new machine

  mkdir -p ~/.ssh/ # First, we need to create the .ssh directory, copy the public and private keys to this directory.
  # Set the right permissions
  chmod 700 ~/.ssh/
  chmod 600 ~/.ssh/id_rsa
  chmod 600 ~/.ssh/id_rsa.pub

• Create a Custom MOTD or Login Banner

  # Credits: Putorius.net. Create a Custom MOTD or login banner in Linux
  sudo bash -c $'echo "neofetch" >> /etc/profile.d/mymotd.sh && chmod +x /etc/profile.d/mymotd.sh'

Please observe that any script in the /etc/profile.d folder will run when a user logs in.

• Set up and use X11 forwarding.

It allows you to run GUI-based applications that are running on the remote server, but they are being displayed on your local machine.

1. vim /etc/ssh/sshd_config: “X11Forwarding yes”
2. Restart the sshd service: sudo systemctl restart ssh.
3. If you want to allow the use of graphical applications, you need to add -Y flag:

     ssh -Y userName@ServerSSHIPAddress
   

4. Finally, you can try to run graphical X applications over SSH: vlc & or geany &.

• Keep Alive SSH Sessions

To enable the keep-alive system-wide SSH Sessions, edit vim /etc/ssh/ssh_config:

    TCPKeepAlive yes
    ClientAliveInterval 600 # It send a null packet to the client every 600 seconds (10 minutes)
    ClientAliveCountMax 3 # It will abort the session if it does not receive any response after 3 tries.

• Install and configure SSH to use two-factor authentication

1. sudo apt install openssh-server libpam-google-authenticator.
2. sudo vi /etc/pam.d/sshd: auth required pam_google_authenticator.so (it makes SSH use the Google Authenticator PAM module).
3. Restart the sshd daemon using: sudo systemctl restart sshd.service.
4. sudo vi /etc/ssh/sshd_config:

   ChallengeResponseAuthentication yes 
   PasswordAuthentication no (Disable Password Authentication because a lot of people with SSH servers use weak passwords) 
   Banner /etc/issue.net (Display warning message) 
   PermitRootLogin no (Disable root SSH login) 
   

5. vi /etc/ssh/sshd-banner:

   WARNING: Unauthorized access to this system is forbidden and will be prosecuted by law. By accessing this system, you agree that your actions may be monitored if unauthorized usage is suspected.

6. google_authenticator: Do you want authentication tokens to be time-based, select y(es).
   Use Google Authenticator, scan the QR code, and enter the code from the app.
   Do you want me to update your $HOME/.google_authenticator file? y(es).
   Do you want to disallow multiple uses of the same authenticaation token? y(es)
   Do you want to do so?(Increase the original generation time limit) n(o).
   Do you want to enable rate-limiting? y(es, it limits attackers to no more than 2 login attempts every 30s).