Connect over SSH

I will explain how to do the following:

  • Connect via ssh without a password
  • Keep a program running after a disconnect
  • Ask for 2FA (2 Factor Authentication) when password-less login does not work.
  • Making ssh a little more secure

Configure for password-less authentication

Run the following commands on the local-machine. The first is needed only once. If the user is the same on both machines, you do not need to add the user. RThe second is only needed once per machine.

ssh-keygen
ssh-copy-id user@remote-machine
ssh user@remote-machine

You now are able to log in without a password. This is much safer than typing in a password. That you do with the third line

Connecting and keep the program running

When you connect, sometimes you will want the program running. You can do this with screen and tmux. Both will be opening a new session. screen is very simple and will be installed on many machines. tmux is way more advanced. Much more is possible, but screen will do for this. To make the contention you do

ssh -t user@remote-machine screen -DR remote-machine

The second remote-machine is the session name. What the command does is ssh to the remote-machine and start screen with the session name remote-machine or reconnect to it if there already is a session with that name.

To disconnect and end the session, you do CTRL+d and to close ssh, but let the session running, you do CTRL-A d. So first CTRL-a and then d. You can add the command to your .bashrc or .alias file and use it each time.

Configuring 2FA

First install a 2 Factor Authentication like the one from LastPass on your phone. Google 2FA also works as well as others.

The installation is easy. This is based on Debian 10.2. It should work on most deb based systems. If you edit the install part to your distro ones (e.g. zypper instead of apt) it should work.

Run the following on the machine where you want the 2FA to be active. This can be the local machine or the remote one after ssh Default settings are used.

su - #or sudo -i
apt install libpam-google-authenticator libqrencode3
echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config
exit

Open the App on your phone and scan the QRcode from the terminal or the URL that is given. Now you need to restart the ssh server. As root or with root rights:

service sshd restart

Extra things that you can do

In sshd_conf on the remote-machine you can disallow the root to login with ” PermitRootLogin no” and allow only a specific user to login, with “AllowUsers user_name”.

You can copy the .google_authenticator on the remote_machine to other places where google authenticator is installed, so you need only one key.

Use the Authenticator for Amazon and other services as well for e.g. you website.