Ubuntu server (which I access over a VPN) SSH with password auth, or public/private key auth?

[DJMK4]

Im having a few issues getting this working, basically I want to use my windows machine, which will be connected over a VPN to a location where my ESX host is running, one of the VMs is an ubuntu box.

Is it really that much of a security flaw to install OpenSSH and use password authentication?

I have turned password auth off and tried to generate the keys but so far its prooving problematic

I have logged on to my ubuntu box, generated the ssh keys, I have a id_rsa file and an id_rsa.pub file in my ssh folder on the linux box, I dont have a way of transferring them to the windows box, but I can use the text editor and copy them both in to notepad ++ on windows. But what exactly do I do with them now? do I have to use the public key with something like putty?


Also is it really worth going through all this hassle or can I not just use password authenticaton over openssh? too many articles online saying I will be hacked.

Thanks all

 

[Frozennova]

OpenVPN access server is by far the easiest way to achieve what you're after.

https://www.digitalocean.com/commun...install-openvpn-access-server-on-ubuntu-12-04

 

[OhEsEcks]

Use secure copy (scp [it's command line]). And it's worth the hassle. Change the default port too. Scanners can knock on 22 all they want then, they ain't getting a response.

Edit: Cheat sheet; http://www.hypexr.org/linux_scp_help.php

 

[Craig321]

Im having a few issues getting this working, basically I want to use my windows machine, which will be connected over a VPN to a location where my ESX host is running, one of the VMs is an ubuntu box.

Is it really that much of a security flaw to install OpenSSH and use password authentication?

I have turned password auth off and tried to generate the keys but so far its prooving problematic

I have logged on to my ubuntu box, generated the ssh keys, I have a id_rsa file and an id_rsa.pub file in my ssh folder on the linux box, I dont have a way of transferring them to the windows box, but I can use the text editor and copy them both in to notepad ++ on windows. But what exactly do I do with them now? do I have to use the public key with something like putty?


Also is it really worth going through all this hassle or can I not just use password authenticaton over openssh? too many articles online saying I will be hacked.

Thanks all

Generate the key pair using PuTTYgen and paste the key part into "authorized_keys" on the Linux box.

Do not use password authentication and always change the default SSH port.

Use secure copy (scp [it's command line]). And it's worth the hassle. Change the default port too. Scanners can knock on 22 all they want then, they ain't getting a response.

Edit: Cheat sheet; http://www.hypexr.org/linux_scp_help.php

Yup, once SSH is set up you can use scp for file transfer. WinSCP is a nice GUI for Windows.

- Edit
Actually if you're going in via VPN and then connecting to SSH you really don't need to worry too much about keys. Password authentication should be fine (as long as there is nobody else that can get onto that network) as you won't be opening any ports.

 

[DJMK4]

Yeah SSL vpn, but want to learn anyway

Windows will be client Ubuntu will be server, I will generate using puttygen on windows, then enable password auth so I can copy the I'd_RSA.pub file contents in to authorised key file on ubuntu, I will have another go at scp but if I can. Copy and paste this might be easier.

What happens with the id_RSA which is the private key? Do i need to do anything with that? Do i have tp store thsse files anywhere else on the windows box?

Id_rsa.pub is obviosly public key which as I said will copy the contents to authorised keys

Would I need the key from any machine I VPN from and connect to?

 

[SKILL]

The pubic key (id_rsa.pub) goes on the server in the authorized_keys file in your users ~/.ssh/ folder, if it doesn't exist it needs specific permissions which I don't recall off the top of my head (chmod 600 maybe?)

The private key (id_rsa) needs to stay somewhere on the Windows box and you need to point Putty at it. You'll need that on any machine you want to use to ssh into the server from.

Then it should all just magically work...

 

[DJMK4]

Cool thanks

 

[DJMK4]

Tried doing what you said, generated the public and private key using Puttygen, copied them to a safe location, then copied the contents of the public key in to the authorized_keys file on ubuntu, their already seemed to be some sort of keystring in this file with my username attached to the bottom of this string, however I pasted the new one below it.

When i connect using putty I point it to the private key, I get the login screen, enter my username then press enter

I get "Disconnected, no supported authentication methods available (Server sent: public key)


Here is my config file for SSH

Spoiler

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key



#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel VERBOSE

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

RSAAuthentication yes


PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no



# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
AllowTcpForwarding no
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

AllowUsers USERNAME

 

[Craig321]

Try clear your authorized_keys down and copy it back in. Also you might need to restart SSH (can't remember if you need to restart SSH after adding new keys?).

 

[DJMK4]

Ta will try that

 

[KIA]

Also you might need to restart SSH (can't remember if you need to restart SSH after adding new keys?).

Not necessary.