This is an old revision of the document!
Table of Contents
Secure Shell (SSH)
Policy
Users need to be in ssh-users
group to be granted SSH access to a server.
Root access through SSH is denied.
Public-key authentication is the only login method.
On systems where we have root access, a dtrike
account will be created. This user will have root access through sudo. The user will also allow anyone with a public key access.
For clients who want to have access without public keys, a second SSH server will be run on port 222 (dropbear) with IP address restriction.
Public Keys
Please put your public keys here so that you can have access to remote servers.
# Abish ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxu9bycrtGTEyS+wmQDIxL6cNDSx0lIXZPq8I9t9vzE2mG0GNvSgyqTq0hMOXQNBRVmPcUgU6OYuivIcAssNLdJWQSnEbCFgfxRap4BZUxGelSWQIQb3kYpJ2Jdc4Ap+tSPIl9Faxl0YmIH6VmrDdod2p/fAIbAzYqWudK9Y7R1q4RhcVC773/54oGGo1/NjTYUw9vmG1r2LQu6u7/6HiOR9AvIuRXmlwqfQPEiMgHVzK3/T3OE+y6FooikVzBabrGfsLcdEi1qaj3p+YmxRA1qTp4prkNlBNioq8E+MeKPjrhNx/+KixhfMw4U+hRSoT2YK8vJIB501BBQHNhYTAfw== [email protected] # Jon ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1nG7dl6qjazT77KbEPeiAAgeEu6Xy+ODUHngiWjbr5XUxIwWUP4Y+gFo1yM0GXXtA2hmvBx3p5dXKm8Sbb6LctyL/H+G9mQZuZhL/zvjE9M6waVJ1s/mEZslTEYnSPbLxiI/qTTJDnknZVjU720onqTJFjV1LBNuXyVVQ2r+hhjAzdxdIU/Wqnx196/bPR5lGo+hMB/MbmDlrRtjiz3jWeq1s0q0wml6y3H6Y0LWvjjbXmaH16toq9CokrgWmHcOtT4gXfAqrO12VYolz7RFahhGGSiwyRWFAKirUyv04/+YGZg6Whsc2PiZg4WghYc36re7uA0s+bAJ8pJzIL+Erw== [email protected] # Ben ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmq5JZp8SbMIVAjFNSPMlUSxSJURdS7RHX6WTPOsqHj0TI6j+dgxfuPA4/s6TCcXe31QnBWxYRSqZ23pdIy5ReWimc6BaEca+0caXUavLUjKpN7z2o4BrEUTbYsj46vig2Z34nhp72KPfLk9EpjJZbqXoQYyTO4ututtabvD+99lrcvzhIIDhm8cJXOTqAmHe1B1OX4JLHtXimrwrkuqpQy+gVuBAtoFqyryGXcYvX3KIyQq+fVu8MLEx75cxKiypA/esOrOzuDlNM8zdLVfPwMII01zGXT7jhGvi6w8qdwvs6J9BbrU7XIZ1/Vo+MgynbIVt7PeLsA8GM69zUp7uqw== [email protected] # Jason ssh-dss AAAAB3NzaC1kc3MAAACBALfJvdJ9Iz5gKKIkkZO77Xmv6ilGbezVmQqD4hfkFj00gemGzBaY05G2tV93N1uHHY6M9htIlOWEBcFMOJnDaID2eO84/I4Brkb2FGOfWBBQrpspBmb7Gm6uVehf2lcqKNKKOrSaxIT9BLK5eY0YuNPqindcv4WGBYpOm3B45Xx7AAAAFQDhlYapV46XS9bEmq44iJnxAFcpOQAAAIEAhjVPB6mFtY5G8rvnpirPQ/HmYB0sD+SHOUkEeA/ELCcf59uzwoQPspRzsEYxCMp4QUZyE14aq8ExnAFXtf8YT3oPHer572jXASrbTL2Yj6Ou6fdeYcNgDSpdVSOgWnwOLH7za46UuL4x/ulRBim6dwAU07eWZPrMn/WT5GFHVksAAACAb5IsU7vBCfPMY9KtCNETiXNRcG3H7Uzba5/0B2TVR2it07j+S1OYXLmJquSfRaNC5CjSe4CTwjrvvfnHeg5uoYH0A07qun18eVqNMl0BBb1yMCq8MHTKyUmeS5eZ8LCF5inCtVnnxlOsTCPQGWQ2vmcPJ/yOHoxhYBvXmTM+VCg= [email protected] ssh-dss AAAAB3NzaC1kc3MAAACBAML6HFuIo6+xhKjGt+Qxfc+3m8fQWMf+VCecXmBvcmrqAfDc2+Y8F1pAvW6YbThveUqNvy5UUD7HuQQpssOee37zakAl4UhNAagF7Rcliw0vbjBNCwadmBOsvhGW5dQcLlfBqaJXJzKcuwG7tOsZfPcoGionAVd2zQi40cDGEVGdAAAAFQDWDs4zppthryiAse/B3cMmGdw8EwAAAIBy4vfpWictQsheMIasw62jAq6UAS9NhH5e2p2yWWvq+QByb4U/zXyKFwTjBs12EJEAMUoq/KGBS/5Fz3WKixlwRyGIyWlHso8Ed/L7J4mKl/VwWjTpn84vGavDe97a9NiJvQq3LagKuyYY+KUyQuG2yfF87g5a6GZYDM/7GJZB1gAAAIEAh4sKApOM3izrztEiykbGCjTkFeO9jDwbq3DYgcC5YkL3hy7OadJcQrR4eUV3Wlh1CTsYuAZz81CqHn+zua92wkGg4P6Jzydzlx5vWVqeGTfvvWyKFHi7rmLEalL8zjmVIVmlKFi2Xru+JeeJAyBlIZQ9JU8gaw27ueTV+FQvbaU= [email protected] # Shaine ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt2MXFdqkPh0rDAJFhR3BoeW8RL3scWfq1AEUjITUSY2d64ceJWfum2pF6AMl2skvsOy4k948VJp5DPCQdgm+LVWwqQUEXf4iyEarS3I0D+H/nMGm9SpX4mbHaZ/12QP3vpk9VphF9gbNs8h5BTnyAVq3DeYVezQYTWXv3esPJ57LB85okB5avfLzipJrsCAZugzfZGfa/o0G2a3XoOHT0uqmxaLtk8qQAf+YIFSX28yskzS0wHRjDmLaxUPMwONLP1npcqWFZkou8iaJIiifIO5JGe0k1tQqPcAWEuAAYzGtKG9LdXvjTnZmeiMQfJXIJxflyx5rRkIBPiUa5lJKpw== [email protected] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxvN7ux79CNR4BEMrTI19siKVf5WQn6K49CQQ0ZuwjAjvsfnq7kaWsbCG4orcn+O9jnYQpJyhLZQJW0H9C6DnvMSy6bAeTng1FEBWG4ZHHUdNPmuGbMqU3QxweZkAvsFEhwyF9C+ds7Kb0NFfqABsUq7JziEb3UI3neBCmglcgNzifh30lo8Wc09Un5SDsmiFdJgAd/6GttBI706+j9FvfgE9SNmYHLpCiG83xHX+EtM1M3hX3QD7dVZP1AD3IM6l4GCcYUQEkBWpEZMz+E2B55USHYjdoQu/3Qs8ljxwTAREtLpK3nAZDIDkS7/kLcRayn3fhWkLcwV+Cgxkexwv+Q== [email protected] # Steve ssh-dss AAAAB3NzaC1kc3MAAACBAMIf2AT6ExiO/EBi6nwh5aNMFksB9lgJKtr3oUAX0JQ7b+9ywkjgwcGCRiFoIyPS3fRK3gKWr6IdJgNh1DKCaj1usfqULkbIXnbA2sqZHTOokRReaqQBK7RdHJiodtsUNTMZPqrTUJ+pAm2JdNcQK5uYU24grq+/5abODsBOvzmbAAAAFQDR9+g5mCUZRrymWxrj9xhSaDNVgQAAAIEAgEf0BOIHAUah7sQHfz4FObLZUgAziRv0tUjZLyY17qy8lXFgY5HpRfw2L5/3Y3KdZuIL4MbmMD5AG2rdoo25K1R6vn9XvbBr0CcDrPVgRWOHv6xUXClGb/y8CrkyasEd0Z1DZdkXhytUPRMifwyo+TYCxVFgs4W1nV3cbChTwHQAAACBALFGPPBWgAt1yPDXc4FeI/DZUrbdAw5YfIS5eaaPISQgJBtmcEV4kYBGvU0pqqZgVJ1d0aX1IDxol2i2cKoTJ1fpYzGPlsIRHd/GbUt9iWIUTzEVhxKgA1OMm93H0m9FhPai69iNAdb/VjVr+pj8icOmeRp7RWOyWA8N3wqy7OXN steve@lenny ssh-dss AAAAB3NzaC1kc3MAAACBAPtbAyVpy2SHx1SqXZZrqs7+iG8op8MmLkTNrpJlGTsinMcFw/51ASw0GWwQr1bWiuszIFtoTV50Hfst/hNBRDNw8GLuwUnNsvwRVX+L8qaHH60qL4zd0JlIoAbEOhoGdNCqFhbSPXR1n5TnsDZ/2uSXvtL3HLgngqmbN5ZAHYQrAAAAFQCgi8yOcBtEbOeIgYme48twsV2T7QAAAIBNE9w4YDqF9GJyFR/CePKWx/Anev2EuKVWQeYGWUwgXHlrJt45SL7nUZanRjWWxLowgNRlvOxaH53jXb+4WBvtK88WxaeXJMMKMZlqRoR5fjNviW3EsxMkwMzIK2ym5mI1lwONL9sLmXHMmyUh0VTi8pnupRsUoYQ0eQjyDoqHGgAAAIEAtqcturVl/MQdMOi7q3O2fa71zTvHwEwCl3mxRddmxa3zQEIzvc5/TjiYht+aklGbh+7SPxRnnUq1XZNEyD2SSaHsHXMRvjKdp+hrJaBxuIAnJL/hsBDc/PBuNHglWyXAnb6W61BzIFd8EleUW6pJ/8qpJpIGHDEkntZ/UhUtFE8= droidx ssh-dss AAAAB3NzaC1kc3MAAACBAOC1Y/avLKCu/PBApKv3TwvDBZVI8PJbkk2pTh5jG4dLEEIsU/PEC2FRFKYn5DEeHdqBccV2c0vtDFutgYqpD1CfwLXUcYtVpkMQ9+D9Bkj8NQ/JjbQCI2xyGtmea30N5Daf1IIRgsO+9U3SNKauTUTk0ZliTzNb3RLck/yRTm/JAAAAFQC3FpdR1Jj0eFAAZNuhGXe1wYHmYwAAAIAn363oEf1cLYh7f03uU7PB7q3KKhjbdC4ewlvdrmLmZRZMZGBWyMdN5/BG4GBsAvBgnJVfSnY6W97oXnv2g/FpJaAcGteJb1UzxWjqPNOY7XX1dFhR5wRXIp+Cv4NKEOqHMRE96M1ce3rUX5ctZMolVSV9mc4gfrIRePlI8wg5DQAAAIBFUB1o5DqzvdDi+f+xzSUiCDydTxWfI3ckZ7hAUOBBhOyIjcPdjV/wV2zg83cJxJgDczMBXcVAFn8N1P/5FkLzSvJKaI7Ll2kNZ1bBFgUTXRwS91iQH5fH/sYPcXDSZEtnOUBiQTgEQnTuH+WcWPgIIi+R3rjvmHXCzAizJrlAeg== steve@charlie # William ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmqobgqHY1U+R9PG1FVaDYo3ivnN6ETiYduFTYJ9rWTr0Xwv9ZXb6i/PsGYmerLJFIB3PeG5+nhVaAAaCjePzo06D7vgqwKRuElLy3wauVmkt6AV7wosnkorCpP4xm4FeBqF51IlP2Mtl6PsswZWFsnSXjH9D2ObNjhKrga6VRlRlJ2IFzqT4j8WywbxHT4EhQHorybaltKbWv9GazGulpU6EvaolfNIf8So+6GpczU2qHjk2dLTP069JnBG23ZdYK00j7CJAE3DBTIlv0mOoe8sSYsRcZYdlNVO+1DPgwfh1yn7gAMwrCGiS9Pu3gPHzupE8+niMu7WSOXbHcg5+zw== [email protected] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyKqs/pnusSyjyICreGBWvNF+2uwgXdpLwoaCbeNipT03exdMhNqaMvzbHdFW0kdmKxq43bxm2wYnz+optM+0DzRL6MgtZ+VGM1C1gKPk/TvVjfzRCBddaEOq2Avz3kG/OSs62DnQAYFgxCBtjhryax4AcQcMgGMqNJSKxrdU4SEFl2JA/rlJOGhNwotmkc9wJjfLOIPdv5ET+4AyPtnptFV+V/5Wd6Tw2eRygrD+yp8jNzv/lr1xnVwuwSGLeLgXj377gk47FlvRA6J7aHeeNanYZLCcqvGYSnXXnLnuofLy5n+/GhX878+MyoLH1bf/9W6dDucv4G11mxtvK4k00Q== [email protected] # Tong ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRG7b5Ut26N7KSztI72bhlohhvZbYmUxqOaSyutLhE7gQSi98VEJKSXuEe5vsgbNVLtk2LKcUA2AZeD6J7cyu/aVT3Hji15aiu/0tFB9j/srQLjdlJEKd8F37P+p4JzPdn27s6QT/HxK4uSy1FXif3Vuw5LruMyy98sm+b1N7fEb/+FY3dvruTpYjK8mNwY2np7DliPy8K6NSN7Qn+1hOvaT+k4sFbuBQLRKdUcJ316ldv798pwC/IOj2MmD/3U9amYtNRcR9qYdQeKpKQ+GPB2wCZdzVyH/1d5y7WCE4fd9BGlMtQq5ubN4tK7nxk6iYMGfgtHV+YJoHnJX4uOiNJ [email protected]
Managing Keys
You can have as many public keys as you like. When using ssh, you can specify which one to use if it is a non-standard name (id_rsa, id_dsa) using ssh -i <path to key>
You can see which keys are authorized to login by looking at ~/.ssh/authorized_keys
Each key is listed, one per line.
Key Generation
Open a terminal and run this command to create a new key. You can pick from two encryption methods: RSA or DSA.
ssh-keygen -t dsa
Follow the prompts. If you want to use a key with no passphrase (for example, for use with cron jobs) then leave the passphrase empty.
Once finished your private and public key will be in ~/.ssh/
Your private key will be named id_dsa
or id_rsa
. Be sure to keep this file secret, and back it up somewhere secure. The id_dsa.pub
or id_rsa.pub
is your public key. These can be freely given to anyone and copied anywhere to a box where you'd like to grant yourself SSH access.
Uploading a Public Key
If you have password-based authentication available on a server, there is a simple way to copy your public key over to allow key-based authentication.
ssh-copy-id -i ~/.ssh/id_dsa.pub user@server
This will automatically create the ~/.ssh
directory on the new server, copy your public key to the authorized_keys
file and set the correct permissions on the directory and the file.
Otherwise, make sure the permissions are set correctly. .ssh
should be set to 0700, and authorized_keys
set to 0600. Without these permissions, public key authentication will not work.
Configuration
You can modify your configuration file for SSH to simplify connections.
Say, for example, you wanted to connect to a server on a non-standard port, without a DNS name. A terminal command might look like this:
ssh [email protected] -p 9822
You can put all these custom settings in ~/.ssh/config
instead:
Host seekrit-server User dumont HostName 192.168.15.79 Port 9822
Then your command would be this:
ssh seekrit-server
This would also work with any SFTP clients as well.
Notes
Setup rate-limiting in the firewall so users can only attempt a connection every certain number of times per minute. Here's an example from Ubuntu's wiki.
iptables -N rate-limit iptables -A rate-limit -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 3 -j RETURN iptables -A rate-limit -j DROP iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit