======Installing SSH server======
SSH will allow you to get a remote terminal on your eeepc, it also can be used as another way to transfer files remotely with scp and can be used to [[x11|forward X11]] allowing you to run a GUI application from the eeepc remotely from another system.

Firstly you need to add either [[http://wiki.eeeuser.com/addingxandrosrepos|Xandros]] or [[adddebianfeeds|Debian]] repositories.

Then you need to install the ssh server:
   sudo apt-get install openssh-server

Next you want to start the sshd server, this will happen automatically at boot but you can save a reboot by doing it manually:
   sudo /etc/init.d/ssh

If ssh does not start automatically at boot time, just create the file /etc/fastservices with the command:
  sudo nano /etc/fastservices
and just add 1 line with the single word "ssh", save & close the file.


======Alternative approach (use inetd)======

You can also let the ssh daemon be run from inetd. It takes less memory (and you can run
other services from the inetd daemon, without any continuous memory impact). On the other hand, connecting will take longer (not noticeable) and if you really run out of RAM, you might not connect at all (but that's true with ssh running as permanent daemon as well). This is great, if you connect to your EEE just from time to time.

First, add the repositories and install the ssh server, as described above.

Then, start the ssh server **once**, to create the ''/var/run/sshd'' directory:
   sudo /etc/init.d/ssh start
(ideally, we should write a script that does it at the boot time... maybe later)

and stop it:
   sudo /etc/init.d/ssh stop

openbsd-inetd should be installed, but just in case:
   sudo apt-get install openbsd-inetd

Create the file /etc/fastservices with the command:
  sudo nano /etc/fastservices
and just add 1 line with the single word "openbsd-inetd", save & close the file.
Make sure there is **not** a ''ssh'' line in /etc/fastinit!

Edit /etc/inetd.conf:
    sudo nano /etc/inetd.conf
and to the end of the file add this line:

    ssh     stream  tcp     nowait  root.root       /usr/sbin/sshd  sshd -i

Run the inetd (or reboot):
    /etc/init.d/openbsd-inetd start


======Using SSH======
Now you should be able to ssh into your eeepc, most Linux distributions will come with a ssh client accessible from the terminal:
   ssh user@hostname

You can try connection from the laptop to itself if you are encountering problems with "localhost" as the hostname.

People connecting from Windows can use [[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html|putty]] (You just need putty.exe).


====== Security ======

SSH can use many different methods to authenticate users. If you follow the steps on this page you will be logging in with just your username and password, most people do not keep their usernames very private. This means that an attacker trying to gain access to your system only has to find one piece of information to get control of your computer. With a default installation this can be done by brute force, trying a, aa, aaa ... b, bb, bbb, ... etc. The more an attacker knows about the person, the easier it is to guess their password. Lower case dictionary words as passwords, numbers and birthdays are so easy to crack that you might as well not have a password at all.

You can avoid this easy route into your machine by using public key authentication.
You make a key, give it a passphrase and make sure that only key authentication is allowed.

=== Using public key authentication ===

Get a terminal up (CTRL-ALT-T) and type
<code>ssh-keygen -t rsa -b 2048 -C "SSH Key for my EEE"</code>
This will create a key for you and ask for a passphrase to go with it. You don't **need** a passphrase, but if you lose control of that key it will grant access to your machine for whoever has it.
If you want to use a passphrase, make it a sentence like
<code>This is the key to my EEE 4G, and I don't want anyone else to use it</code>
Obviously, don't use that. Notice the CAPS, the punctuation, and the spaces. The longer the better, but remember that you will have to type it every time you want to log in to your machine. A sentence that is fairly easy to remember for you will still be hard for a computer to work out.

Once you have made your key it will be stored (by default) in ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub. There are two parts to the key, id_rsa is **private** and should never be given, shown, mailed, accessed by anyone other than you. Copy it to an SD card and keep it in your pocket. If you lose the key or someone copies it, make another by following these instructions again.
The other part is the public part. You can share that with others if they want to give you SSH access to their computers.

For this system to work the SSH authorisation routine needs the public part on the server, the client needs the private part and if you set a passphrase the client needs that to be typed in during the connection too.

Now to tell your computer that you're allowed to use that key.
<code>cd ~/.ssh
cat id_rsa.pub >> authorized_keys
chmod 600 authorized_keys
</code>

Using "cat" to read the public part of the key and then directing the output to "authorized_keys with ">>" is a good habit to get into. This will not overwrite the file like "cp" (copy) will, and means that if you are adding someone else's key to the list, yours won't be overwritten; you won't lose SSH access to your computer by accident.

You're almost there, but at the moment SSH will still fall back to password access if public key fails. For security you should turn this fallback behaviour off.

<code>sudo nano /etc/ssh/sshd_config</code>
These parts need to be changed:
  * PermitRootLogin **no**
  * PubkeyAuthentication **yes**
  * RSAAuthentication no
  * AuthorizedKeysFile     **.ssh/authorized_keys**
  * PasswordAuthentication **no**
  * ChallengeResponseAuthentication **no**
  * UsePAM **no**
  * AllowUsers **<usernames allowed to log in, separated by a space>**
If some of these are already set, or are missing you can just change or add them.

The last thing to do is to make sure that the SSH server notices the changes you have made to the "sshd_config" file by restarting it:
<code>sudo /etc/init.d/ssh restart</code>

Now you can try
<code>ssh localhost</code>
you should be asked to "Enter passphrase for key '/home/user/.ssh/id_rsa':".

If you have any problems, you can type
<code>man ssh
man ssh-keygen</code>
for some help. Other than that [[http://google.com|Google]] Is Your Friend.


======See Also======
http://en.wikipedia.org/wiki/SSH - Wikipedia's article about SSH.

http://www.chiark.greenend.org.uk/~sgtatham/putty/ - PuTTY, a Windows SSH client.

http://en.wikipedia.org/wiki/PuTTY - Wikipedia's article about PuTTY.

[[boot_process:the_boot_process]]
[[http://www.portabilite.info|rio b and you]] [[http://www.obtenir-rio.info|numero rio]]