SSH Connections - LeandroTheDev/arch_linux GitHub Wiki

Installing OPEN SSH

Install openssh

  • sudo pacman -S openssh
  • systemctl enable sshd

To start the sshd

  • systemctl start sshd

  • Better configure before starting

Configuring

Open the configurations file

  • sudo vim /etc/ssh/sshd_config
  • Remove the # on necessary configurations lines.
  • Simple Setup:
Port
AddressFamily
ListenAddress

My honest configuration for using ssh with RSA plus port fowarding

Include /etc/ssh/sshd_config.d/*.conf

Port 2920
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

LoginGraceTime 2m
PermitRootLogin no
MaxAuthTries 6
MaxSessions 10
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
HostbasedAuthentication no
IgnoreUserKnownHosts no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
ALlowAgentForwarding yes
PermitTTY yes
PrintMotd yes
PermitTunnel yes
GatewayPorts yes
AllowTcpForwarding yes

Subsystem	sftp	/usr/lib/ssh/sftp-server

  • Enable Login to a user only: AllowUsers username

image

Security using rsa keys

Increasing the security is very important so...

Create the keypair to share with SERVER

  • ssh-keygen -t rsa -b 2048

This will create 2 keys the private CLIENT and the public (.pub) SERVER in your profile .ssh/id_rsa, send the public to the server if the server doesn't have any, you can send manually via pendrive or you can create a temporary login to share with scp command

If the server already have a pub key you should to add a new line to it

  • vim ~/.ssh/authorized_keys

otherwise just change the name of id_rsa.pub to authorized_keys

  • mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

New Line

ssh-rsa AABBB3NzaC2...
ssh-rsa AAAAB3NzaC1...

Edit some configurations to disable other types of login

  • sudo vim /etc/ssh/sshd_config

Uncomment and Change

HostKey /etc/ssh/ssh_host_rsa_key
PermitRootLogin no
MaxAuthTries 2
HostbasedAuthentication no
IgnoreUserKnownHosts yes
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes

Port forwarding with ssh security

  • sudo vim /etc/ssh/sshd_config

Check if this 3 options is marked as yes

PermitTunnel yes
GatewayPorts yes
AllowTcpForwarding yes

You can forward a port by tunnelling in the ssh

  • ssh -p P1 -L P2:IP1:P3-N user@IP2
  • P1 = the ports for acessing ssh
  • P2 = the ports for redirect in YOUR machine
  • P3 = the ports for access in SERVER
  • IP1 = YOUR machine address
  • IP2 = SERVER address
  • ssh -p 22 -L 6200:localhost:5900 -N [email protected]

  • If i try to connect into localhost:6200 i will receive the message from the server listening in 123.123.12.12:5900

If everthing works no messages will prompt, the port will be forwarded and now you can access freely what you want

Remote Desktop (Xorg) Option 1 (Don't work)

Downloading xorg

  • sudo pacman -S xorg

Creating permission for profile

  • touch ~/.Xauthority
  • chmod 600 ~/.Xauthority

Enabling X11 forwarding for ssh connection

  • sudo vim /etc/ssh/sshd_config ``Uncoment and Change`
AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

Client connection

  • ssh -X user@host
  • Download a desktop and start it

Remote Desktop (Xorg/Wayland) Option 2

Observations: use this with a different user than you normally use in your computer, the user in the remote share will cannot use the gpu locally, so no display for sessions, only for remote connections.

  • sudo pacman -S virtualgl tigervnc

Set up password for remote connection

  • vncpasswd
  • sudo vim /etc/tigervnc/vncserver.users

Add

:1=username
  • vim ~/.vnc/config

Add

session=vglrun startplasma-x11/startxfce4/startyourdesktop
geometry=1920x1080
localhost
alwaysshared
#rfbport = 3020

press 1, and no to groups and yes to disable XTEST

  • vglserver_config

Starting the server in boot load

  • sudo systemctl enable vncserver@:1.service

the number 1 is the display number configured in vncserver.users

Increasing the performance

  • sudo vim /etc/X11/xorg.conf.d/10-vnc.conf

Add

Section "Module"
Load "vnc"
EndSection

Section "Screen"
Identifier "Screen0"
Option "UserPasswdVerifier" "VncAuth"
Option "PasswordFile" "/root/.vnc/passwd"
EndSection

Controlling the remote connection

  • vim ~/.xprofile

Add

x0vncserver -rfbauth ~/.vnc/passwd &

At this point the server is ready to receive connection use the tigervnc-viewer

  • sudo systemctl start vncserver@:1.service