The full reference (Arch Wiki).
# Create new secure key with comment (User@Device#Realm) ssh-keygen -t ed25519 -C Qasim@PC#QasimK # Change passphrase of existing key ssh-keygen -f ~/.ssh/id_ed25519 -p # Add your credentials to remote server to allow you to login ssh-copy-id -i ~/.ssh/id_ed25519.pub email@example.com
ssh-copy-id adds your SSH key to to the remote server's user's
~/.ssh/config file, take a look at my-setup, but here is a reference:
# Add all new SSH key passphrases to ssh agent (doesn't seem to work) AddKeysToAgent [yes|ask|confirm|no] # This is default and unnecessary IdentityFile ~/.ssh/id_rsa Host MACHINE1 IdentitiesOnly yes IdentityFile ~/.ssh/id_ed25519_MACHINE1
TODO: SSH agent
.pam_environment may require reboot !!! (or manual source?)
Test config with
sudo sshd -T before restarting the daemon.
The following settings are ordered starting from the most significant, least invasive and easiest to setup:
- Prevent root login
- Use SSH keys only
- Use a less common port, e.g. 24
- Only allow particular groups/users to login (such as
wheel, the administrative group)
PermitRootLogin no PasswordAuthentication no Port 23 AllowGroups wheel AllowUsers qasim
- Rate-limit attempts:
sudo ufw limit OpenSSH(NB: check auto correct port?)
ssh-geoip(blacklist IPs rather than whitelist to prevent lockout) (not tested; IPv6?)
- Use an SSH bastion.
- Use fail2ban (not needed with SSH keys; lockout risk)
- Require 2FA:
libpam-google-authenticator(longer setup; not tested; has backup codes)
- Mosh uses SSH for initial authentication.
- Requires UDP ports 60000–61000 to be open (you can get away with 60000-60010).