Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers. It connects, via a secure channel over an insecure network, a server and a client running SSH server and SSH client programs, respectively. The protocol specification distinguishes between two major versions that are referred to as SSH-1 and SSH-2.
The best-known application of the protocol is for access to shell accounts on Unix-like operating systems, but it can also be used in a similar fashion for accounts on Windows. It was designed as a replacement for Telnet and other insecure remote shell protocols such as the Berkeley rsh and rexec protocols, which send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis.The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet.
You can use your Android phone, remote computer, iPAD or anything to login to a SSH server and execute command as if you’re sitting on that workstation. So let’s see how you can install a SSH server (we will be using openSSH-Server here) on Kali Linux. After this guide you will be able to do the followings:
- Install Kali Linux remote SSH – openSSH server
- Enable Kali Linux remote SSH service on boot
- Change Kali default ssh keys to avoid MITM attack
- Set MOTD – Message of the Day message with a nice ASCII
- Troubleshoot and fix “
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED” error during SSH session. - Change SSH server port for extra safety
Step 1: Install Kali Linux remote SSH – openSSH server
Issue the following command on Kali Linux terminal to install openssh-server.
root@kali~:# apt-get install openssh-server
Now the next logical step is to enable ssh server (as you can see I’ve issued the following command above).
root@kali~:# service ssh startIt works, but there’s a problem. If you restart your Kali Linux machine, SSH server will be disabled.
So we will ensure that SSH server remains up and running all the time (even after restart). Please note that if you don’t want this to happen, then skip Step 2 and move to Step 3. Why? Because if you enable SSH server on your machine, that means your machine will be available via internet and anyone who knows your password (or your password is just ‘123’ or ‘password’ can break into your machine). So use a secured password and if not sure skip to Step 3 for now. Anyway, moving on..
Step 2: Enable Kali Linux remote SSH service
Now we are about to enable SSH service and keep that running the whole time. (changes wont get lost after boot).
First of all remove run levels for SSH.
root@kali~:# update-rc.d -f ssh remove
Next load SSH defaults to run level
root@kali~:# update-rc.d -f ssh defaults
Check if SSH service is up and running
root@kali~:# chkconfig ssh
If you don’t have chkconfig installed, install via
root@kali~:# apt-get install chkconfig
You can run chkconfig to see a lot more too:
root@kali~:# chkconfig -l ssh (or) root@kali~:# chkconfig -l
37 comments
GOOD-WORK!!!
as always .. thank you very much MY “guru”friend :-) +1
http://www.imagestime.com/show.php/956618_Screenshot20140620093707.png.html
:-)
Hi again zimmy,
Always a please seeing your comment. Glad you found it use of. :) Cheers,
-BMO
great
https://www.imoveisguarapari.com
wow awsome tutorial thanks you very much sir,
i have one qestion: how to set ssh to not keep the logs?
Thanks in advance.
Hey Volkermord,
Config’s is in
/etc/ssh/sshd_configfile.Set
LogLevel nonefor no logs and restart sshd. That should do it. Some more references here and here.Cheers,
-BMO
A little piece of advice. No matter what port you chose for SSH, make sure it’s below 1024. On Linux systems, any user can listen on ports above 1024, but only root can listen on ports below 1024. Running SSH on a port above 1024 increases a chance of crashing your SSH daemon and replacing it with some dodgy proxy etc.
Some other suggestions for “extra safety”:
Protocol 2
PermitRootLogin no
StrictModes yes
AllowUsers
DenyUsers root
DenyGroups root
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes
MaxAuthTries 1
X11Forwarding no
You may also be interested in DenyHosts if using password authentication for SSH.
Hi Tomas,
Below 1024 is usually a port that is registered with IANA for the applications/existing well known services (maybe unused on particular systems). See WikiPedia references here.
If you got a user in your system who can sniff traffic with malicious intentions, then you got bigger problem at hand. A user with sudo access can just enable debug on or turn on plaintext incorrect password logging .. few incorrect password retries and he’s got root password! … Agreed with the rest. PubKeyAuth is possibly second best option with DenyHosts combination (where you login via a VPN or got stationary workstation/static IP etc… etc..) My post was about enabling SSH, not security in general, but I do agree with your notion. Will update it soon. ta.
BTW, keep an eye on my site for my next post that actually addresses exactly what you’ve pointed out. I’m sure you’ll like my new post.
Thanks again for your comment, always appreciate a positive feedback. Cheers,
-BMO
Your statement is only partially correct. We use TCP ports 4 and 12 for SSH – these are unassigned.
When you have >2000 users using your Linux servers, everything happens.
You may find this post useful: https://www.lisenet.com/2013/openssh-server-installation-and-configuration-on-debian/
Great post on how to setup OpenSSH. This allowed me to take it one step further, and set up VNC over SSH.
Thanks SJ.
Hello Sec Jedi. Good job setting up the vnc ! can you share the guide with me on how to do this? and can you access this outside of your lan or only in lan ?
Excellent tutorial. Well done.
Very Nice tutorial sir, I just need to ask you that, after applying all these steps, i can access ssh-server through lan, But this is not working on internet, What might be the reason?
Your router blocking it. Either open port or setup port forwarding.
When I run ssh root@localhost it just leaves me with a blinking cursor but no prompt. Root log in is enabled in sshd_config. Any thoughts?
Hi heisenberg,
Did you restart ssh service?
Hi, Step 3 doesn’t need to be completed. I’ve compared the SSH Keys on two different installs of Kali1.10 and they have different keys by default.
Thanks for letting me know. It wasn’t the case when I wrote this article. Instead of removing step 3, I’ll mark it as optional. In that way, readers can make an informed decision. Thanks again.
Thank you for the tutorial, its so educating now my question is, how can I use my android app with Kali Linux remote SSH. I’m aware of the apps that I can download, i’m in the process of developing my own.
I am trying to access my own SSH server by doing
ssh root@localhost
then it comes up with
root@localhost’s password:
Where would you get this password?
You need to know your root password, on a default install of kali it is set to ‘toor’ but this is the first thing you should have changed.
I type my root password but it says permission denied anyway
You have to enable root login in the sshd_config file.
Generally not a good idea unless you have a reason.
Great article! Thank you for the time you took to put this together!
See below output:
root@kali2:~# service ssh status
● ssh.service – OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
Active: inactive (dead)
root@kali2:~#
I Want to start this service automatically whenever I boot my system. Let me know how to do that.
At present I am manually starting the service.
I got same problem here too. Even after following Step 2, it didn’t work. Anyone?
Great tutorial!
The only problem for me is that after root@localhost and after the password it says : Permission denied, please try again…
Solved, I changed
PermitRootLogin without-password
with
PermitRootLogin yes
In /etc/ssh/sshd_config
Solved, I changed
PermitRootLogin without-password
with
PermitRootLogin yes
In /etc/ssh/sshd_config
Hey guys i hope you respond me , i have some problemes using kali 2 ,
for any link i make is not shared with my local state any link i make ( with a real kali ip 192.168.1.xx) it works only in the kali and is not shared to other wifi’s users i tried many methodes but they didnt work i hope will help me and thank you !
well make a new one for 2.0. you need to update alot of your old very good tutorials for previous versions, now you have nothing for 2.0. killing us.
This was a great help, thank you.
Hello, is it possible, that we must also open the ssh port in kali’s firewall?
i got a problem here. i started the ssh server in linux kali.but when i try to connect from windows using putty i am asked username and passworsd. what xactly are the username and password ? i tried my linux usernmae and passwd but i got access denied. should i configure linux to allow windows??
Install openssh in Android terminal
https://youtu.be/mh6Ldvn__H4
I can confirm that on Kali Linux 2018.3a on the AWS Marketplace, the SSH keys are unique to each provisioned instance.