Tag Archives: SSH

Configuring a Linux Server – Part 1: Sudoer user and SSH

This will be a series of posts about configuring a Linux server (I’m working with Ubuntu, but should work with minor changes with other distributions), mainly because I have done this several times now by reviewing different websites and blogs, so I wanted to do a guide that works for me (and maybe for others too).

First, we create a user to avoid the use of root (in case you are not using the default Ubuntu installation, that asks you to create a user):

$ adduser myuser
Adding user 'myuser' ...
Adding new group 'myuser' (1000) ...
Adding new user 'myuser' (1000) with group 'myuser' ...
Creating home directory '/home/myuser' ...
Copying files from '/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for myuser
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] y

It is also possible to use the command useradd (that is a linux command itself, not that user-friendly) instead of useradd (this one is a perl script that makes a little more easy user creation).

We need to assign add this user to the sudoers (users that are able to use the sudo command to make changes to the system).

$ visudo

And add the following line:

myuser  ALL=(ALL) ALL

Then, we need to hardening SSH server (be very careful about this modifications because if SSH is the only way you have to configure your server, any error may left you lock out of your box).

Before making any change, we better make a backup of our original config file:

$ cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bk

Then, we need to change the following parameters on /etc/ssh/sshd_config:

  • Port Number: Change it to any random port number, try to use one that any known service uses, see the list of services in here.
  • Listen Address: Instead of listen to every interface on your server, just listen to the main IP address.
  • Protocol: Make sure that this parameter is set to 2 (instead of 2, 1).
  • If possible, avoid root login by disabling PermitRootLogin. All root operations can be done using sudo command (at least on Debian/Ubuntu based distributions). Make sure you have created other users on your box, and add them to the allow list of users to log through SSH (AllowUsers [username1] [username2] parameter).
  • Disable X11Forwarding.
  • Replace password authentication with Public/Private Keys. To do this, make sure your users have their Private Keys and the Public Keys are configured on the server. Then, disable PasswordAuthentication and UsePAM parameters. Make sure that RSAAuthentication and Pubkeyauthentication parameters are enabled.
  • If you have noticed that OpenSSH server may take a while from the moment you enter your username and the password prompt, it is because it tries to make some DNS resolves. You can avoid this by disabling UseDNS parameter.

You should end with a file like this:

Port XXXX
ListenAddress XXX.XXX.XXX.XXX
[...]
PermitRootLogin no
[...]
RSAAuthentication yes
PubkeyAuthentication yes
[...]
PasswordAuthentication no
[...]
X11Forwarding no
[...]
UsePAM no
UseDNS no
AllowUsers myuser user2

Then, we need to restart the SSH server by doing:

$ /etc/init.d/ssh restart

Do not close your current session, just open another to your box using the new port, this way we make sure we are not locked out of it.

On the next post I will be configuring IPTables as a firewall for our box.

UPDATE 17/Apr/2010: Parameter PasswordAuthentication included for disabling keyboard-interactive authentication.

In this link you can find a very good explanation about the main options on SSH config file.

Convertir una clave PuTTY en una OpenSSH

Si sabes que es PuTTY y lo utilizas con alguna regularidad, es probable que en algún momento necesites convertir una de sus claves privadas al formato OpenSSH para utilizarla en linux. ¿A que me refiero? a hacer algo como:

ssh usuario@servidor

desde una consola de linux y entrar directamente al servidor, sin tener que estar recordando ni escribiendo la contraseña cada vez.

Vamos a necesitar la herramienta puttygen (que se encuentra dentro del paquete putty-tools) para hacer la conversión. Desde Ubuntu (o desde cualquier otra distribución basada en Debian), basta con:

sudo apt-get install putty-tools

Una vez que tenemos instalado dicha herramienta, creamos el directorio .ssh (donde guardaremos nuestra clave) en nuestro home, en caso no esté creado:

mkdir ~/.ssh

Luego, le cambiamos los permisos para que solo sea accesible por nuestro usuario:

chmod 700 ~/.ssh

Después, procedemos a realizar la conversión (puedes ver todas las opciones del comando puttygen aquí):

puttygen nombre-de-nuestra-clave-de-putty.ppk -O private-openssh -o ~/.ssh/id_rsa

Si nuestra clave de PuTTY tiene un passphrase, nos lo va a pedir.

Luego, nos aseguramos que los permisos de la clave recién creada sean los correctos:

chmod 600 ~/.ssh/id_rsa

Finalmente, solo bastará con colocar el passphrase una vez durante toda nuestra sesión y podremos conectarnos a los equipos que queramos sin necesidad de la contraseña.

PD, encontré que el procedimiento contrario (de una clave OpenSSH a una de PuTTY) está explicado acá.