SSH Connections - LeandroTheDev/arch_linux GitHub Wiki

Installing OPEN SSH

Install openssh

  • sudo pacman -S openssh
  • systemctl enable sshd

To start the sshd

  • systemctl start sshd

  • Better configure before starting

Configuring

Open the configurations file

  • sudo vim /etc/ssh/sshd_config
  • Remove the # on necessary configurations lines.
  • Simple Setup:
Port
AddressFamily
ListenAddress

My honest configuration for using ssh with RSA plus port fowarding

Include /etc/ssh/sshd_config.d/*.conf

Port 2920
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
LogLevel INFO

LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 2
MaxSessions 10

PubkeyAuthentication yes
AuthorizedKeysFile	.ssh/authorized_keys
HostbasedAuthentication no
IgnoreUserKnownHosts yes
IgnoreRhosts yes

PasswordAuthentication no
PermitEmptyPasswords no

AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
PermitTTY yes
PrintLastLog yes
TCPKeepAlive yes
PermitUserEnvironment yes
PermitTunnel yes

Subsystem	sftp	/usr/lib/ssh/sftp-server

  • Enable Login to a user only: AllowUsers username

image

Security using rsa keys

Increasing the security is very important so...

Create the keypair to share with SERVER

  • ssh-keygen -t rsa -b 2048

This will create 2 keys the private CLIENT and the public (.pub) SERVER in your profile .ssh/id_rsa, send the public to the server if the server doesn't have any, you can send manually via pendrive or you can create a temporary login to share with scp command

If the server already have a pub key you should to add a new line to it

  • vim ~/.ssh/authorized_keys

otherwise just change the name of id_rsa.pub to authorized_keys

  • mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

New Line

ssh-rsa AABBB3NzaC2...
ssh-rsa AAAAB3NzaC1...

Edit some configurations to disable other types of login

  • sudo vim /etc/ssh/sshd_config

Uncomment and Change

HostKey /etc/ssh/ssh_host_rsa_key
PermitRootLogin no
MaxAuthTries 2
HostbasedAuthentication no
IgnoreUserKnownHosts yes
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes

Port forwarding with ssh security

  • sudo vim /etc/ssh/sshd_config

Check if this 3 options is marked as yes

PermitTunnel yes
GatewayPorts yes
AllowTcpForwarding yes

You can forward a port by tunnelling in the ssh

  • ssh -p P1 -L P2:IP1:P3-N user@IP2
  • P1 = the ports for acessing ssh
  • P2 = the ports for redirect in YOUR machine
  • P3 = the ports for access in SERVER
  • IP1 = YOUR machine address
  • IP2 = SERVER address
  • ssh -p 22 -L 6200:localhost:5900 -N [email protected]

  • If i try to connect into localhost:6200 i will receive the message from the server listening in 123.123.12.12:5900

If everthing works no messages will prompt, the port will be forwarded and now you can access freely what you want

Remote Desktop (Xorg) Option 1 (Don't work)

Downloading xorg

  • sudo pacman -S xorg

Creating permission for profile

  • touch ~/.Xauthority
  • chmod 600 ~/.Xauthority

Enabling X11 forwarding for ssh connection

  • sudo vim /etc/ssh/sshd_config ``Uncoment and Change`
AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

Client connection

  • ssh -X user@host
  • Download a desktop and start it

Remote Desktop (Xorg/Wayland) Option 2

Observations: use this with a different user than you normally use in your computer, the user in the remote share will cannot use the gpu locally, so no display for sessions, only for remote connections.

  • sudo pacman -S virtualgl tigervnc

Set up password for remote connection

  • vncpasswd
  • sudo vim /etc/tigervnc/vncserver.users

Add

:1=username
  • vim ~/.vnc/config

Add

session=vglrun startplasma-x11/startxfce4/startyourdesktop
geometry=1920x1080
localhost
alwaysshared
#rfbport = 3020

press 1, and no to groups and yes to disable XTEST

  • vglserver_config

Starting the server in boot load

  • sudo systemctl enable vncserver@:1.service

the number 1 is the display number configured in vncserver.users

Increasing the performance

  • sudo vim /etc/X11/xorg.conf.d/10-vnc.conf

Add

Section "Module"
Load "vnc"
EndSection

Section "Screen"
Identifier "Screen0"
Option "UserPasswdVerifier" "VncAuth"
Option "PasswordFile" "/root/.vnc/passwd"
EndSection

Controlling the remote connection

  • vim ~/.xprofile

Add

x0vncserver -rfbauth ~/.vnc/passwd &

At this point the server is ready to receive connection use the tigervnc-viewer

  • sudo systemctl start vncserver@:1.service