fachinformatiker-wiki

it's easy when it's here

User Tools

Site Tools

Trace:
linux:remote_access:openssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:remote_access:openssh [2022/11/12 16:33] gsyslinux:remote_access:openssh [2026/03/12 20:37] (current) – [Regenerate Host Keys] gsys
Line 1: Line 1:
 ====== OpenSSH ====== ====== OpenSSH ======
  
 +===== Permissions =====
 +
 +<code>
 +^ File/Folder             ^ Numeric  ^ Bitwise    ^
 +| ~/.ssh                  | 700      | drwx------ |
 +| ~/.ssh/id_rsa.pub       | 644      | -rw-r--r-- |
 +| ~/.ssh/id_rsa           | 600      | -rw------- |
 +| ~/.ssh/authorized_keys  | 600      | -rw------- |
 +| ~/.ssh/config           | 600      | -rw------- |
 +</code>
 ===== Harden SSH Access ====== ===== Harden SSH Access ======
  
 <file bash harden_ssh.sh> <file bash harden_ssh.sh>
 #!/bin/bash #!/bin/bash
 +
 cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
-grep "PasswordAuthentication yes" /etc/ssh/sshd_config 
-grep "PasswordAuthentication yes" /etc/ssh/sshd_config | sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ss> 
  
-grep "PermitRootLogin prohibit-password" /etc/ssh/sshd_config +grep "PasswordAuthentication" /etc/ssh/sshd_config 
-grep "PermitRootLogin prohibit-password" /etc/ssh/sshd_config | sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin no/g' />+grep "PasswordAuthentication yes" /etc/ssh/sshd_config | sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
  
-grep "PermitEmptyPasswords no" /etc/ssh/sshd_config +grep "PermitRootLogin" /etc/ssh/sshd_config 
-grep "PermitEmptyPasswords no" /etc/ssh/sshd_config | sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_c>+grep "PermitRootLogin yes" /etc/ssh/sshd_config | sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
  
-grep "KerberosAuthentication no" /etc/ssh/sshd_config +grep "PermitEmptyPasswords" /etc/ssh/sshd_config 
-grep "KerberosAuthentication no" /etc/ssh/sshd_config | sed -i 's/#KerberosAuthentication no/KerberosAuthentication no/g' /etc/ssh/>+grep "PermitEmptyPasswords no" /etc/ssh/sshd_config | sed -i 's/PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
  
-grep "GSSAPIAuthentication no" /etc/ssh/sshd_config +grep "KerberosAuthentication" /etc/ssh/sshd_config 
-grep "GSSAPIAuthentication no" /etc/ssh/sshd_config | sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_c>+grep "KerberosAuthentication no" /etc/ssh/sshd_config | sed -i 's/KerberosAuthentication no/KerberosAuthentication no/g' /etc/ssh/sshd_config 
 + 
 +grep "GSSAPIAuthentication" /etc/ssh/sshd_config 
 +grep "GSSAPIAuthentication no" /etc/ssh/sshd_config | sed -i 's/GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config 
 + 
 +grep "X11Forwarding" /etc/ssh/sshd_config 
 +grep "X11Forwarding yes" /etc/ssh/sshd_config | sed -i 's/X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config
  
 systemctl restart sshd.service systemctl restart sshd.service
 </file> </file>
 +
 +
 +===== Regenerate Host Keys =====
 +
 +1. Regeneate Host Keys
 +<code>
 +sudo rm -v /etc/ssh/ssh_host_*          # delete old host keys
 +sudo dpkg-reconfigure openssh-server    # create new set of keys
 +sudo systemctl restart sshd             # restart service
 +</code>
 +
 +2. Delete old Public Keys from clients known_hosts files
linux/remote_access/openssh.1668267199.txt.gz · Last modified: (external edit)