Setting up SSH

Overview

Customers are responsible for the configuration of their servers and environments.

Secure Shell (SSH) allows confidential and authenticated remote access to a computer. SSH traffic is fully encrypted and, by default, runs on port 22. For reference and testing, see below for instructions and guidance on enabling SSH for your target operating system.

Linux

Linux requires the SSH daemon to be running in order to accept SSH connections. Most Linux distributions will have the OpenSSH server installed, but may not have the service enabled. The service needs to be enabled, started, and added to the list of services to be started upon reboot.

To verify that ssh is running on your Linux system, invoke the following command:

ps aux | grep sshd

If ssh is not running, you may need to install OpenSSH or/and enable ssh. The following commands demonstrate this in Ubuntu:

apt-get install openssh-server
systemctl enable ssh
systemctl start ssh

Note:

• you may need sudo permissions to install and enable ssh

• The installation command may be different based on your linux distribution

Windows

SSH is normally not installed on Windows. However, SSH can easily be installed via Windows capability packages which are maintained by Microsoft. The following PowerShell script will 1) install SSH, 2) start the SSH service and makes sure it starts with each reboot, and 3) make sure the firewall allows SSH connections:

# Install OpenSSH
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

# Start service and make sure it automatically starts after reboot.
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'

# Make sure the the firewall will allow SSH connections
if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
    Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."
    New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
} else {
    Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
}

Windows Shell

Windows SSH can either default to PowerShell or CMD. Keeper Rotation uses PowerShell commands. If the default shell is CMD, Keeper Rotation will invoke rotation commands via PowerShell Invoke-Command -ScriptBlock { COMMANDS }. To change the default shell to PowerShell, invoke the following PowerShell command:

# Enable PowerShell in SSH
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell `
  -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" `
  -PropertyType String -Force

MacOS

SSH is installed on macOS and usually not turned on for the user.

To enable it via the UI, enable Remote Login on the General->Sharing panel.

To enable it via the command line, invoke the following command:

$ sudo systemsetup -setremotelogin on

Note:

• you will require Full Disk Access privileges for this command line method.