ssh Configuration

ssh rsync

On a Linux or Unix system, ssh is used to make a secure connection to a remote machine. This connection can be used as a communications transport for other programs. In this article I describe how to setup an encrypted ssh connection between two machines. This connection can be used to log in to the remote machine, synchronize files between the machines, or display locally the GUI of a program running on a remote machine.

For the purposes of this article, alfa and beta are the peer machines we wish to configure. Both have a user account named bill.

Install openssh

The first step is to install openssh on machine alfa:

bill@alfa: sudo apt-get install openssh-server openssh-client
bill@alfa: sudo apt-get install rssh molly-guard openssh-blacklist openssh-blacklist-extra

We install both the ssh client and server portion as we will both be ssh'ing from and to these machines. The packages on the second line are optional, but a good idea. Refer to the man pages for more information.

At this point, we could use ssh to access a remote machine (running a ssh server) and be prompted for a password to validate access. Password login validation for ssh is a bad idea because it opens a security hole. Instead we follow the steps below to exchange security keys with the target machine and eliminate the ability to ssh using a password.

Create the encryption key on alfa:

bill@alfa: ssh-keygen -t rsa -C "user bill on alfa"

Enter a filename, for example: bill_on_alfa. If the generated files are not created in ~/.ssh, move them there. The -C comment at the end of the command is optional, but a good idea as it help human readers identify the key. The public portion of the key and the comment ends up as part of the identity string in alfa's authentication agent, and in beta's authorized_keys file.

Now add the RSA identity to alfa's authentication agent. On alfa, type:

bill@alfa: ssh-add bill_on_alfa

Listing the RSA identities in alfa's authentication agent is done by:

bill@alfa: ssh-add -L

You should see the public key parameter of the just generated key as well as the "user bill on alfa" comment.

Since the identity is registered in alfa's authentication agent, we can use the 'short form' of ssh-copy-id to propagate the public key to beta's authorized_keys file.

bill@alfa:ssh-copy-id beta.local

This command behaves nicely, creating the authorized_keys file if none exists, or appending the key if the file already exists.

Test the configuration by ssh to beta. No password should be required if things are configured correctly:

bill@alfa: ssh beta.local

To test this further, rename beta's authorized_keys to another filename. A ssh from alfa to beta should again require a password. Restore beta's authorized_keys to restore the ssh key configuration.

ssh Password Security

The best password security for ssh is removing the ability to ssh using a password!

Since a key has been installed for authentication, we no longer need a password to log in. Let's change the ssh server settings on beta to only authenticate using a key. First, make a write protected backup of the original sshd_config file:

bill@beta: sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
bill@beta: sudo chmod a-w /etc/ssh/sshd_config.bak

The sshd_config file contains password authentication settings. To remove the possibility to log in with a password, we find the line:

#PasswordAuthentication yes

And replace it with a line that looks like this:

PasswordAuthentication no

What editor will you use to make the change? If you answered Emacs, then no further hoops need jumping through as Emacs can run from the command line. Alternatively, gedit can be run with a little ssh magic: X11 forwarding.

From alfa, start gedit on beta, but have the GUI displayed on alfa:

bill@alfa: ssh -X beta.local
bill@beta: sudo gedit /etc/ssh/sshd_config

For the password authentication setting to take effect we need to restart the ssh server on beta.

bill@beta: sudo /etc/init.d/ssh restart

That's it. Now (only) alfa can ssh to beta. Invert the instructions above for the secure ssh connection from beta to alfa.


We have already seen X11 forwarding with gedit over X. Another powerful tool is the use of rsync over ssh. I use this to keep my files synchronized between my machines. I gain the ability to work on local files on my machines, with the bonus side effect of having each machine function as file backup repository.

bill@alfa: rsync --progress -avz -e ssh bill@beta.local:~/Desktop/bu/ ~/Desktop/bu

It is a good idea to experiment first with an additional parameter, -n, so that a 'dry run' is done with no changes.


Finally, it pays to be security conscious. After making these ssh changes to your computers, run:

bill@alfa: nmap

Change '192.168' if your internal network uses a different configuration. Ensure that you know what all the open ports in the resulting report are doing.


Validate HTML 4.01 Strict Validate CSS

©2011 Bill Ola Rasmussen