-1

I'm trying to use sftp to transfer files between two pcs. I have openssh on my receiving pc.

I'm a total beginner in sftp/ssh and it is so wild/seems so unsecure that I can access my pc only with my user password. How do you manage security in sftp/ssh ?

I'd like to toggle my server ability to accept ssh connections on and of . How can I do it (so to be totally sure) ? Do I uninstall and reinstall openssh every time I need to use it ?

I also would like to use only a KEY to access my server without a password . It seems so insecure to just add the keys to the server , I usually keep a very short password on my server PC just so other users don't accidentally access my user while trying to get into their user. How do I configure my server to use only a KEY , not a password and disable any connectivity through a password. I got the impression that if I add the key and leave a very short password someone else might just access from the network.

Sorry If the question is not very well formulated , english is not my first language and I'm a total beginner in ssh. It seems that just following tutorials or reading documentation is not enough.

Improve this question
New contributor
Kermilli is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
3
  • 2
    Voting to close. A question on SuperUser should be a single question. This one is a bit out of hand. Davidgo provided an answer addressing multiple of the question asker's questions, although this instructions look like would work on some Linux systems and maybe not some other systems. (For all I know, the question asker might be using Microsoft Windows. I just don't see enough to know.) Commented Feb 22 at 10:13
  • I'm on windows and ubuntu. I just wasn't sure about ssh in general. Commented Feb 22 at 14:29
  • I use a public and private key. I don’t need a user password Commented Feb 22 at 16:13

2 Answers 2

Reset to default
2

To answer your main question, assuming you are using a common Linux distro -

  1. Create a private and public key on your client if you have not already done so. How you do this will depend on what client you are using. If you are using openssh (typical on a Linux desktop) use ssh-keygen

  2. Add the PUBLIC key you generated on your client to ~/.ssh/authorized_keys on your server.

  3. Test that you can log in using the private/public key. Once you can do this, you can edit the server to disable password login.

  4. edit /etc/ssh/sshd_config (as root) and set "PasswordAuthentication no" (it will probably be set to yes, or commented out)

  5. Restart ssh on the server. Probably something like sudo systemctl restart sshd.service

To answer/comment on the rest of your post.

SSH is probably the most secure way of connecting to your server (although you can greatly improve on this by limiting connections to known IP addresses and/or over a VPN for another layer of security)

You can toggle your servers ability to accept ssh connections by using sudo systemctl stop and sudo systemctl start but if you have set up ssh properly I'd argue this is unneccessary and will cause more problems then it solves. Consider using a firewall to selectively block/limit access port 22 instead.

You should never need to uninstall openssh or reinstall it - and I'd argue that doing this is unhelpful. It should be pretty much set-and-forget.

You should not be using short passwords. Not anywhere, not ever. You should be using a password manager and having long random passwords.

You should be able to figure all this out pretty easily with AI. If you are having trouble following tutorials, maybe go back and revisit your understanding of how SSH works. Once you "get" public/private key encryption it should be a lot easier for you.

Improve this answer
3
  • 1
    To elaborate on step one: ssh-keygen -t ed25519 -N "" -f keyname makes a passwordless key (some people don't like that, the -N "" is what made it passwordless). The private key can be used to create the public key again so if you have the private key, you effectively have both keys. The public key goes onto the system you want to log into. The private key is on the client (maybe on a USB stick you have... basically, your possession of the private key represents you), so only the public key goes on the server. End of public key file is a comment Commented Feb 22 at 10:24
  • @davidgo Thanks for the answer. I wouldn't trust my files with AI answers , at least not be 100% sure. About limiting connections to known IP addresses , do I look for it on sshd config as well ? How do you use password managers on log in ? I get it when you use apps , but how on log in. Commented Feb 22 at 14:20
  • @kermill - AI will likely help more then anyone here - ssh is a very well understood (from how to use POV) and AI is unlikely to get it wrong. You can limit logins with a firewall and/or editing/adding an AllowUsers line in sshd-config. Security is about layers. Font trust everything to 1 program. Commented Feb 22 at 18:12
0

Some points about SSH security

  • all data, including passwords, transmitted is protected from interception by end to end encryption. Unlike older protocols such as telnet and FTP.

  • you can configure the SSH server to forbid password authentication and enforce more secure authentication

  • SSH supports public key authentication where only a public key is stored on the server and the corresponding private key is kept on the client PC in an encrypted file protected by a password. Note that this is different to shared key cryptographic methods

  • SSH supports two factor authentication (2FA) including things like FIDO2 tokens etc.

The complete guide to SSH with FIDO2 security keys. Jonas Markström. 2023 looks like a useful guide - I have no affiliation with the author and have not personally tested or verified the contents.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.