I will explain how to do the following:
- Connect via ssh without a password
- Keep a program running after a disconnect
- Ask for 2FA (2 Factor Authentication) when password-less login does not work.
- Making ssh a little more secure
Configure for password-less authentication
Run the following commands on the local-machine. The first is needed only once. If the user is the same on both machines, you do not need to add the user. RThe second is only needed once per machine.
ssh-keygen ssh-copy-id user@remote-machine ssh user@remote-machine
You now are able to log in without a password. This is much safer than typing in a password. That you do with the third line
Connecting and keep the program running
When you connect, sometimes you will want the program running. You can do this with
tmux. Both will be opening a new session.
screen is very simple and will be installed on many machines.
tmux is way more advanced. Much more is possible, but screen will do for this. To make the contention you do
ssh -t user@remote-machine screen -DR remote-machine
The second remote-machine is the session name. What the command does is ssh to the remote-machine and start screen with the session name remote-machine or reconnect to it if there already is a session with that name.
To disconnect and end the session, you do
CTRL+d and to close ssh, but let the session running, you do
CTRL-A d. So first
CTRL-a and then
d. You can add the command to your .bashrc or .alias file and use it each time.
First install a 2 Factor Authentication like the one from LastPass on your phone. Google 2FA also works as well as others.
The installation is easy. This is based on Debian 10.2. It should work on most deb based systems. If you edit the install part to your distro ones (e.g. zypper instead of apt) it should work.
Run the following on the machine where you want the 2FA to be active. This can be the local machine or the remote one after ssh Default settings are used.
su - #or sudo -i apt install libpam-google-authenticator libqrencode3 echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config exit
Open the App on your phone and scan the QRcode from the terminal or the URL that is given. Now you need to restart the ssh server. As root or with root rights:
service sshd restart
Extra things that you can do
In sshd_conf on the remote-machine you can disallow the root to login with ” PermitRootLogin no” and allow only a specific user to login, with “AllowUsers user_name”.
You can copy the .google_authenticator on the remote_machine to other places where google authenticator is installed, so you need only one key.
Use the Authenticator for Amazon and other services as well for e.g. you website.