Kali Linux remote SSH – How to configure openSSH server

Step 3: Change Kali default ssh keys to avoid MITM attack

At this point you will have openssh-server installed on Kali Linux and enabled at runlevel 2,3,4 and 5. But now we got a problem. Every Linux system that you install via a CD or DVD or similar uses a default SSH key. This is same for all first installation that means, anyone with a similar version can perform a Man in the Middle Attack (MITM) and listen to your encrypted traffic. To fix that we will do the followings:

Note: At least one reader confirms that this step is not necessary in new Kali Linux installation as the keys are different for each installation. I will leave the decision of changing default SSH keys to the readers.

Step 3.1: Move the default Kali ssh keys to a new folder:

Issue the following commands one line at a time:

root@kali:~#  cd /etc/ssh/
root@kali:/etc/ssh#  mkdir default_kali_keys
root@kali:/etc/ssh# 
root@kali:/etc/ssh#  mv ssh_host_* default_kali_keys/
root@kali:/etc/ssh#

This will move your default keys to the new folder.

Step 3.2: Regenerate the keys

Use the following command to regenerate SSH keys

root@kali:/etc/ssh#  dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
[ ok ] Restarting OpenBSD Secure Shell server: sshd.
root@kali:/etc/ssh#

Step 3.3: Verify ssh key hashes are different

Use the following commands to verify SSH key hashes are different

root@kali:/etc/ssh#  md5sum ssh_host_*
d5dff2404dd43ee0d9ed967f917fb697  ssh_host_dsa_key
2ec88dc08f24c39077c47106aab1e7f4  ssh_host_dsa_key.pub
ab96da6ffc39267f06e7f9497c4f5755  ssh_host_ecdsa_key
614e36d18dc2c46178d19661db4dbd7b  ssh_host_ecdsa_key.pub
abcc037705e48b3da91a2300d42e6a2b  ssh_host_rsa_key
e26eaa1c5cff38457daef839937fcedd  ssh_host_rsa_key.pub
root@kali:/etc/ssh#

Compare new key hashes to the hashes below)

root@kali:/etc/ssh#  cd default_kali_keys/
root@kali:/etc/ssh#
root@kali:/etc/ssh/default_kali_keys#  md5sum *
9a09f49be320e561dc6cf95463d4378c  ssh_host_dsa_key
1a52709d596569224822e870239c9298  ssh_host_dsa_key.pub
65d0af7fdc5c50f67f90cb953460ba61  ssh_host_ecdsa_key
606d1ac71100c8b38e0f87951bb94855  ssh_host_ecdsa_key.pub
c871ecf961924389f2cddbd5888b5037  ssh_host_rsa_key
99d4c4c68224900d0430f0bee9baf28e  ssh_host_rsa_key.pub
root@kali:/etc/ssh/default_kali_keys#

Kali Linux remote SSH - How to configure openSSH server - blackMORE Ops -2

Restart SSH.

root@kali:/etc/ssh/default_kali_keys# service ssh restart

Thanks to pentest09 for providing this excellent and easy to follow info on Kali Linux forum.

Step 4: Set MOTD with a nice ASCII

So far, we have installed and configured Kali Linux remote SSH – openssh-server, enabled openssh-server to run on boot, changed Kali default SSH keys to avoid MITM attacks.

Now the usual SSH MOTD (Message of the Day – Banner) is boring. I want my name on that and add some useful info. Following is what a usual MOTD looks like:

Kali Linux remote SSH - How to configure openSSH server - blackMORE Ops -5

Well, that’s just plain and boring for me.

Go to http://patorjk.com/software/taag/

Type something in “Type Something” Box! Play around with the settings and you get a nice ASCII art.

Kali Linux remote SSH - How to configure openSSH server - blackMORE Ops -4

Edit the following file and add your text.

root@kali:~# vi /etc/motd 
root@kali:~# service ssh restart

Save the file and restart/reload SSH … both should just work. I’ve added blackMORE Ops as ASCII and http://www.blackmoreops.com/ as a second line…

Kali Linux remote SSH - How to configure openSSH server - blackMORE Ops -66

So next time I try to login I get this nice screen with some more info

Kali Linux remote SSH - How to configure openSSH server - blackMORE Ops -7

Pretty cool!

Step 5: Troubleshooting

Because I changed SSH keys in the middle of change, (I was logged in before), I had this BIG warning message coming up

 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
 Someone could be eavesdropping on you right now (man-in-the-middle attack)!
 It is also possible that the RSA host key has just been changed.
 The fingerprint for the RSA key sent by the remote host is
 26:65:52:75:81:71:a8:c5:4c:ad:b6:81:78:58:18:af.
 Please contact your system administrator.
 Add correct host key in /root/.ssh/known_hosts to get rid of this message.
 Offending key in /root/.ssh/known_hosts:1
 RSA host key for localhost has changed and you have requested strict checking.
 Host key verification failed.

It kicked me right out.

Kali Linux remote SSH - How to configure openSSH server - blackMORE Ops -111

Usually this is the sign of something bad. As you can see MITM attacks does this:

 IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
 Someone could be eavesdropping on you right now (man-in-the-middle attack)!

This was the reason I changed Kali Linux default key (You wouldn’t even notice MITM if you’re using the default key).

This is a rather easy fix. You just need to delete the offending line in known_hosts file.

 Add correct host key in /root/.ssh/known_hosts to get rid of this message.
 Offending key in /root/.ssh/known_hosts:1

Use the following command:

root@kali:~# vi /root/.ssh/known_hosts

Following was the key I had

Kali Linux remote SSH - How to configure openSSH server - blackMORE Ops -122

Just delete the line, save the file and try to SSH again.

Kali Linux remote SSH - How to configure openSSH server - blackMORE Ops -133

and it worked.

Check Also

Enabling AMD GPU for Hashcat on Kali Linux: A Quick Guide

Enabling AMD GPU for Hashcat on Kali Linux: A Quick Guide

If you’ve encountered an issue where Hashcat initially only recognizes your CPU and not the …

Identifying harmful activity on your captured traffic

This Python script utilises Wireshark or TCPdump to analyse network traffic stored in a specified …

37 comments

  1. zimmaro_the_g0at

    GOOD-WORK!!!
    as always .. thank you very much MY “guru”friend :-) +1
    http://www.imagestime.com/show.php/956618_Screenshot20140620093707.png.html
    zimmaro_the_g0at
    :-)

  2. wow awsome tutorial thanks you very much sir,
    i have one qestion: how to set ssh to not keep the logs?
    Thanks in advance.

  3. A little piece of advice. No matter what port you chose for SSH, make sure it’s below 1024. On Linux systems, any user can listen on ports above 1024, but only root can listen on ports below 1024. Running SSH on a port above 1024 increases a chance of crashing your SSH daemon and replacing it with some dodgy proxy etc.

    Some other suggestions for “extra safety”:

    Protocol 2
    PermitRootLogin no
    StrictModes yes
    AllowUsers
    DenyUsers root
    DenyGroups root
    PasswordAuthentication no
    PermitEmptyPasswords no
    PubkeyAuthentication yes
    MaxAuthTries 1
    X11Forwarding no

    You may also be interested in DenyHosts if using password authentication for SSH.

    • Hi Tomas,

      Below 1024 is usually a port that is registered with IANA for the applications/existing well known services (maybe unused on particular systems). See WikiPedia references here.

      If you got a user in your system who can sniff traffic with malicious intentions, then you got bigger problem at hand. A user with sudo access can just enable debug on or turn on plaintext incorrect password logging .. few incorrect password retries and he’s got root password! … Agreed with the rest. PubKeyAuth is possibly second best option with DenyHosts combination (where you login via a VPN or got stationary workstation/static IP etc… etc..) My post was about enabling SSH, not security in general, but I do agree with your notion. Will update it soon. ta.

      BTW, keep an eye on my site for my next post that actually addresses exactly what you’ve pointed out. I’m sure you’ll like my new post.

      Thanks again for your comment, always appreciate a positive feedback. Cheers,
      -BMO

  4. Great post on how to setup OpenSSH. This allowed me to take it one step further, and set up VNC over SSH.

  5. Excellent tutorial. Well done.

  6. Very Nice tutorial sir, I just need to ask you that, after applying all these steps, i can access ssh-server through lan, But this is not working on internet, What might be the reason?

  7. When I run ssh root@localhost it just leaves me with a blinking cursor but no prompt. Root log in is enabled in sshd_config. Any thoughts?

  8. Hi, Step 3 doesn’t need to be completed. I’ve compared the SSH Keys on two different installs of Kali1.10 and they have different keys by default.

    • Thanks for letting me know. It wasn’t the case when I wrote this article. Instead of removing step 3, I’ll mark it as optional. In that way, readers can make an informed decision. Thanks again.

  9. Thank you for the tutorial, its so educating now my question is, how can I use my android app with Kali Linux remote SSH. I’m aware of the apps that I can download, i’m in the process of developing my own.

  10. Johnnycakes581

    I am trying to access my own SSH server by doing
    ssh root@localhost
    then it comes up with
    root@localhost’s password:
    Where would you get this password?

  11. Great article! Thank you for the time you took to put this together!

  12. See below output:

    root@kali2:~# service ssh status
    ● ssh.service – OpenBSD Secure Shell server
    Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
    Active: inactive (dead)
    root@kali2:~#

    I Want to start this service automatically whenever I boot my system. Let me know how to do that.

    At present I am manually starting the service.

  13. Great tutorial!
    The only problem for me is that after root@localhost and after the password it says : Permission denied, please try again…

  14. Solved, I changed

    PermitRootLogin without-password

    with

    PermitRootLogin yes

    In /etc/ssh/sshd_config

    • Hey guys i hope you respond me , i have some problemes using kali 2 ,
      for any link i make is not shared with my local state any link i make ( with a real kali ip 192.168.1.xx) it works only in the kali and is not shared to other wifi’s users i tried many methodes but they didnt work i hope will help me and thank you !

  15. add or update your tutorials to modern day 2.0

    well make a new one for 2.0. you need to update alot of your old very good tutorials for previous versions, now you have nothing for 2.0. killing us.

  16. This was a great help, thank you.

  17. Hello, is it possible, that we must also open the ssh port in kali’s firewall?

  18. i got a problem here. i started the ssh server in linux kali.but when i try to connect from windows using putty i am asked username and passworsd. what xactly are the username and password ? i tried my linux usernmae and passwd but i got access denied. should i configure linux to allow windows??

  19. Install openssh in Android terminal
    https://youtu.be/mh6Ldvn__H4

  20. I can confirm that on Kali Linux 2018.3a on the AWS Marketplace, the SSH keys are unique to each provisioned instance.

  21. Anybody have any words of advice on how to perform a remote SSH session with Kali 2018.4 with an IPv6 address? Nowhere can I find an actual guide or word of help on the internet…

Leave your solution or comment to help others.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from blackMORE Ops

Subscribe now to keep reading and get access to the full archive.

Continue reading

Privacy Policy on Cookies Usage

Some services used in this site uses cookies to tailor user experience or to show ads.