Secure Shell (SSH)

• dropbear
• OpenSSH

Users need to be in ssh-users group to be granted SSH access to a server.

Root access through SSH is denied.

Public-key authentication is the only login method.

On systems where we have root access, a dtrike account will be created. This user will have root access through sudo. The user will also allow anyone with a public key access.

For clients who want to have access without public keys, a second SSH server will be run on port 222 (dropbear) with IP address restriction.

Please put your public keys here so that you can have access to remote servers.

• Download authorized_keys

# Abish
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxu9bycrtGTEyS+wmQDIxL6cNDSx0lIXZPq8I9t9vzE2mG0GNvSgyqTq0hMOXQNBRVmPcUgU6OYuivIcAssNLdJWQSnEbCFgfxRap4BZUxGelSWQIQb3kYpJ2Jdc4Ap+tSPIl9Faxl0YmIH6VmrDdod2p/fAIbAzYqWudK9Y7R1q4RhcVC773/54oGGo1/NjTYUw9vmG1r2LQu6u7/6HiOR9AvIuRXmlwqfQPEiMgHVzK3/T3OE+y6FooikVzBabrGfsLcdEi1qaj3p+YmxRA1qTp4prkNlBNioq8E+MeKPjrhNx/+KixhfMw4U+hRSoT2YK8vJIB501BBQHNhYTAfw== [email protected]
# Jon
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1nG7dl6qjazT77KbEPeiAAgeEu6Xy+ODUHngiWjbr5XUxIwWUP4Y+gFo1yM0GXXtA2hmvBx3p5dXKm8Sbb6LctyL/H+G9mQZuZhL/zvjE9M6waVJ1s/mEZslTEYnSPbLxiI/qTTJDnknZVjU720onqTJFjV1LBNuXyVVQ2r+hhjAzdxdIU/Wqnx196/bPR5lGo+hMB/MbmDlrRtjiz3jWeq1s0q0wml6y3H6Y0LWvjjbXmaH16toq9CokrgWmHcOtT4gXfAqrO12VYolz7RFahhGGSiwyRWFAKirUyv04/+YGZg6Whsc2PiZg4WghYc36re7uA0s+bAJ8pJzIL+Erw== [email protected]
# Ben
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmq5JZp8SbMIVAjFNSPMlUSxSJURdS7RHX6WTPOsqHj0TI6j+dgxfuPA4/s6TCcXe31QnBWxYRSqZ23pdIy5ReWimc6BaEca+0caXUavLUjKpN7z2o4BrEUTbYsj46vig2Z34nhp72KPfLk9EpjJZbqXoQYyTO4ututtabvD+99lrcvzhIIDhm8cJXOTqAmHe1B1OX4JLHtXimrwrkuqpQy+gVuBAtoFqyryGXcYvX3KIyQq+fVu8MLEx75cxKiypA/esOrOzuDlNM8zdLVfPwMII01zGXT7jhGvi6w8qdwvs6J9BbrU7XIZ1/Vo+MgynbIVt7PeLsA8GM69zUp7uqw== [email protected]
# Jason
ssh-dss AAAAB3NzaC1kc3MAAACBALfJvdJ9Iz5gKKIkkZO77Xmv6ilGbezVmQqD4hfkFj00gemGzBaY05G2tV93N1uHHY6M9htIlOWEBcFMOJnDaID2eO84/I4Brkb2FGOfWBBQrpspBmb7Gm6uVehf2lcqKNKKOrSaxIT9BLK5eY0YuNPqindcv4WGBYpOm3B45Xx7AAAAFQDhlYapV46XS9bEmq44iJnxAFcpOQAAAIEAhjVPB6mFtY5G8rvnpirPQ/HmYB0sD+SHOUkEeA/ELCcf59uzwoQPspRzsEYxCMp4QUZyE14aq8ExnAFXtf8YT3oPHer572jXASrbTL2Yj6Ou6fdeYcNgDSpdVSOgWnwOLH7za46UuL4x/ulRBim6dwAU07eWZPrMn/WT5GFHVksAAACAb5IsU7vBCfPMY9KtCNETiXNRcG3H7Uzba5/0B2TVR2it07j+S1OYXLmJquSfRaNC5CjSe4CTwjrvvfnHeg5uoYH0A07qun18eVqNMl0BBb1yMCq8MHTKyUmeS5eZ8LCF5inCtVnnxlOsTCPQGWQ2vmcPJ/yOHoxhYBvXmTM+VCg= [email protected]
ssh-dss AAAAB3NzaC1kc3MAAACBAML6HFuIo6+xhKjGt+Qxfc+3m8fQWMf+VCecXmBvcmrqAfDc2+Y8F1pAvW6YbThveUqNvy5UUD7HuQQpssOee37zakAl4UhNAagF7Rcliw0vbjBNCwadmBOsvhGW5dQcLlfBqaJXJzKcuwG7tOsZfPcoGionAVd2zQi40cDGEVGdAAAAFQDWDs4zppthryiAse/B3cMmGdw8EwAAAIBy4vfpWictQsheMIasw62jAq6UAS9NhH5e2p2yWWvq+QByb4U/zXyKFwTjBs12EJEAMUoq/KGBS/5Fz3WKixlwRyGIyWlHso8Ed/L7J4mKl/VwWjTpn84vGavDe97a9NiJvQq3LagKuyYY+KUyQuG2yfF87g5a6GZYDM/7GJZB1gAAAIEAh4sKApOM3izrztEiykbGCjTkFeO9jDwbq3DYgcC5YkL3hy7OadJcQrR4eUV3Wlh1CTsYuAZz81CqHn+zua92wkGg4P6Jzydzlx5vWVqeGTfvvWyKFHi7rmLEalL8zjmVIVmlKFi2Xru+JeeJAyBlIZQ9JU8gaw27ueTV+FQvbaU= [email protected]
# Shaine
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt2MXFdqkPh0rDAJFhR3BoeW8RL3scWfq1AEUjITUSY2d64ceJWfum2pF6AMl2skvsOy4k948VJp5DPCQdgm+LVWwqQUEXf4iyEarS3I0D+H/nMGm9SpX4mbHaZ/12QP3vpk9VphF9gbNs8h5BTnyAVq3DeYVezQYTWXv3esPJ57LB85okB5avfLzipJrsCAZugzfZGfa/o0G2a3XoOHT0uqmxaLtk8qQAf+YIFSX28yskzS0wHRjDmLaxUPMwONLP1npcqWFZkou8iaJIiifIO5JGe0k1tQqPcAWEuAAYzGtKG9LdXvjTnZmeiMQfJXIJxflyx5rRkIBPiUa5lJKpw== [email protected]
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxvN7ux79CNR4BEMrTI19siKVf5WQn6K49CQQ0ZuwjAjvsfnq7kaWsbCG4orcn+O9jnYQpJyhLZQJW0H9C6DnvMSy6bAeTng1FEBWG4ZHHUdNPmuGbMqU3QxweZkAvsFEhwyF9C+ds7Kb0NFfqABsUq7JziEb3UI3neBCmglcgNzifh30lo8Wc09Un5SDsmiFdJgAd/6GttBI706+j9FvfgE9SNmYHLpCiG83xHX+EtM1M3hX3QD7dVZP1AD3IM6l4GCcYUQEkBWpEZMz+E2B55USHYjdoQu/3Qs8ljxwTAREtLpK3nAZDIDkS7/kLcRayn3fhWkLcwV+Cgxkexwv+Q== [email protected]
# Steve
ssh-dss AAAAB3NzaC1kc3MAAACBAMIf2AT6ExiO/EBi6nwh5aNMFksB9lgJKtr3oUAX0JQ7b+9ywkjgwcGCRiFoIyPS3fRK3gKWr6IdJgNh1DKCaj1usfqULkbIXnbA2sqZHTOokRReaqQBK7RdHJiodtsUNTMZPqrTUJ+pAm2JdNcQK5uYU24grq+/5abODsBOvzmbAAAAFQDR9+g5mCUZRrymWxrj9xhSaDNVgQAAAIEAgEf0BOIHAUah7sQHfz4FObLZUgAziRv0tUjZLyY17qy8lXFgY5HpRfw2L5/3Y3KdZuIL4MbmMD5AG2rdoo25K1R6vn9XvbBr0CcDrPVgRWOHv6xUXClGb/y8CrkyasEd0Z1DZdkXhytUPRMifwyo+TYCxVFgs4W1nV3cbChTwHQAAACBALFGPPBWgAt1yPDXc4FeI/DZUrbdAw5YfIS5eaaPISQgJBtmcEV4kYBGvU0pqqZgVJ1d0aX1IDxol2i2cKoTJ1fpYzGPlsIRHd/GbUt9iWIUTzEVhxKgA1OMm93H0m9FhPai69iNAdb/VjVr+pj8icOmeRp7RWOyWA8N3wqy7OXN steve@lenny
ssh-dss AAAAB3NzaC1kc3MAAACBAPtbAyVpy2SHx1SqXZZrqs7+iG8op8MmLkTNrpJlGTsinMcFw/51ASw0GWwQr1bWiuszIFtoTV50Hfst/hNBRDNw8GLuwUnNsvwRVX+L8qaHH60qL4zd0JlIoAbEOhoGdNCqFhbSPXR1n5TnsDZ/2uSXvtL3HLgngqmbN5ZAHYQrAAAAFQCgi8yOcBtEbOeIgYme48twsV2T7QAAAIBNE9w4YDqF9GJyFR/CePKWx/Anev2EuKVWQeYGWUwgXHlrJt45SL7nUZanRjWWxLowgNRlvOxaH53jXb+4WBvtK88WxaeXJMMKMZlqRoR5fjNviW3EsxMkwMzIK2ym5mI1lwONL9sLmXHMmyUh0VTi8pnupRsUoYQ0eQjyDoqHGgAAAIEAtqcturVl/MQdMOi7q3O2fa71zTvHwEwCl3mxRddmxa3zQEIzvc5/TjiYht+aklGbh+7SPxRnnUq1XZNEyD2SSaHsHXMRvjKdp+hrJaBxuIAnJL/hsBDc/PBuNHglWyXAnb6W61BzIFd8EleUW6pJ/8qpJpIGHDEkntZ/UhUtFE8= droidx
ssh-dss AAAAB3NzaC1kc3MAAACBAOC1Y/avLKCu/PBApKv3TwvDBZVI8PJbkk2pTh5jG4dLEEIsU/PEC2FRFKYn5DEeHdqBccV2c0vtDFutgYqpD1CfwLXUcYtVpkMQ9+D9Bkj8NQ/JjbQCI2xyGtmea30N5Daf1IIRgsO+9U3SNKauTUTk0ZliTzNb3RLck/yRTm/JAAAAFQC3FpdR1Jj0eFAAZNuhGXe1wYHmYwAAAIAn363oEf1cLYh7f03uU7PB7q3KKhjbdC4ewlvdrmLmZRZMZGBWyMdN5/BG4GBsAvBgnJVfSnY6W97oXnv2g/FpJaAcGteJb1UzxWjqPNOY7XX1dFhR5wRXIp+Cv4NKEOqHMRE96M1ce3rUX5ctZMolVSV9mc4gfrIRePlI8wg5DQAAAIBFUB1o5DqzvdDi+f+xzSUiCDydTxWfI3ckZ7hAUOBBhOyIjcPdjV/wV2zg83cJxJgDczMBXcVAFn8N1P/5FkLzSvJKaI7Ll2kNZ1bBFgUTXRwS91iQH5fH/sYPcXDSZEtnOUBiQTgEQnTuH+WcWPgIIi+R3rjvmHXCzAizJrlAeg== steve@charlie
# William
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmqobgqHY1U+R9PG1FVaDYo3ivnN6ETiYduFTYJ9rWTr0Xwv9ZXb6i/PsGYmerLJFIB3PeG5+nhVaAAaCjePzo06D7vgqwKRuElLy3wauVmkt6AV7wosnkorCpP4xm4FeBqF51IlP2Mtl6PsswZWFsnSXjH9D2ObNjhKrga6VRlRlJ2IFzqT4j8WywbxHT4EhQHorybaltKbWv9GazGulpU6EvaolfNIf8So+6GpczU2qHjk2dLTP069JnBG23ZdYK00j7CJAE3DBTIlv0mOoe8sSYsRcZYdlNVO+1DPgwfh1yn7gAMwrCGiS9Pu3gPHzupE8+niMu7WSOXbHcg5+zw== [email protected]
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyKqs/pnusSyjyICreGBWvNF+2uwgXdpLwoaCbeNipT03exdMhNqaMvzbHdFW0kdmKxq43bxm2wYnz+optM+0DzRL6MgtZ+VGM1C1gKPk/TvVjfzRCBddaEOq2Avz3kG/OSs62DnQAYFgxCBtjhryax4AcQcMgGMqNJSKxrdU4SEFl2JA/rlJOGhNwotmkc9wJjfLOIPdv5ET+4AyPtnptFV+V/5Wd6Tw2eRygrD+yp8jNzv/lr1xnVwuwSGLeLgXj377gk47FlvRA6J7aHeeNanYZLCcqvGYSnXXnLnuofLy5n+/GhX878+MyoLH1bf/9W6dDucv4G11mxtvK4k00Q== [email protected]
# Tong
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRG7b5Ut26N7KSztI72bhlohhvZbYmUxqOaSyutLhE7gQSi98VEJKSXuEe5vsgbNVLtk2LKcUA2AZeD6J7cyu/aVT3Hji15aiu/0tFB9j/srQLjdlJEKd8F37P+p4JzPdn27s6QT/HxK4uSy1FXif3Vuw5LruMyy98sm+b1N7fEb/+FY3dvruTpYjK8mNwY2np7DliPy8K6NSN7Qn+1hOvaT+k4sFbuBQLRKdUcJ316ldv798pwC/IOj2MmD/3U9amYtNRcR9qYdQeKpKQ+GPB2wCZdzVyH/1d5y7WCE4fd9BGlMtQq5ubN4tK7nxk6iYMGfgtHV+YJoHnJX4uOiNJ [email protected]

You can have as many public keys as you like. When using ssh, you can specify which one to use if it is a non-standard name (id_rsa, id_dsa) using ssh -i <path to key>

You can see which keys are authorized to login by looking at ~/.ssh/authorized_keys Each key is listed, one per line.

Open a terminal and run this command to create a new key. You can pick from two encryption methods: RSA or DSA.

ssh-keygen -t dsa

Follow the prompts. If you want to use a key with no passphrase (for example, for use with cron jobs) then leave the passphrase empty.

Once finished your private and public key will be in ~/.ssh/

Your private key will be named id_dsa or id_rsa. Be sure to keep this file secret, and back it up somewhere secure. The id_dsa.pub or id_rsa.pub is your public key. These can be freely given to anyone and copied anywhere to a box where you'd like to grant yourself SSH access.

If you have password-based authentication available on a server, there is a simple way to copy your public key over to allow key-based authentication.

ssh-copy-id -i ~/.ssh/id_dsa.pub user@server

This will automatically create the ~/.ssh directory on the new server, copy your public key to the authorized_keys file and set the correct permissions on the directory and the file.

Otherwise, make sure the permissions are set correctly. .ssh should be set to 0700, and authorized_keys set to 0600. Without these permissions, public key authentication will not work.

You can modify your configuration file for SSH to simplify connections.

Say, for example, you wanted to connect to a server on a non-standard port, without a DNS name. A terminal command might look like this:

ssh [email protected] -p 9822

You can put all these custom settings in ~/.ssh/config instead:

Host seekrit-server
User dumont
HostName 192.168.15.79
Port 9822

Then your command would be this:

ssh seekrit-server

This would also work with any SFTP clients as well.

Setup rate-limiting in the firewall so users can only attempt a connection every certain number of times per minute. Here's an example from Ubuntu's wiki.

• https://help.ubuntu.com/community/SSH/OpenSSH/Advanced?action=show&redirect=AdvancedOpenSSH

iptables -N rate-limit
iptables -A rate-limit -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 3 -j RETURN
iptables -A rate-limit -j DROP
iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit