- Download SD card formatter and rasbian imager: Raspberry Pi OS - For example, if you uses Windows for SD card set-up, chose Windows version. SD Card Formatter
- Plug in SD card to SD card reader and connect to PC, use SD card formatter to format SD card. Then double click Raspberry Imager, chose path for SD card and click "write"
- Once the write is down, insert SD card to pi and boot-up. Finish the system set-up by following the system guidance.
- Input the following command on Pi4
sudo raspi-config- Chose "interface options"
- Chose "VNC"
- Make sure VNC is enabled, save and exit. Input the following commands:
sudo reboot- Input the following commands to get ip address of Pi4:
ifconfig- Use remote control software in win10, input the IP address of Pi4
- In the pomped-up window, input password and username of Pi4
- You should now be able to access to your Pi4
- Set up PI4 SSH for accessing to your Github repo via SSH:Github guidance
- Source code:https://roumenpetrov.info/secsh/download.html or https://gitlab.com/secsh/pkixssh Then input following commands
cd ~/project/ssh-demo
git init
git remote add ssh-client git@github.com:Det2sial/pkixssh-demo.git
git pull ssh-client master
git branch
git pull ssh-client peer
git checkout peer
- Install packages
sudo apt install build-essential
sudo apt install zlib1g-dev
sudo apt-get install libssl-dev
sudo apt-get install libpam0g-dev
# install pam- Install PKIXSSH
cd ~/project/ssh-demo/pkixssh-13.1
./configure --prefix=/opt --with-pamThe result will look like:
Example PAM control files can be found in the contrib/
subdirectoryInput following commands:
sudo make
sudo make installThe result will look like (the error is ignored):
Privilege separation user sshd does not exist
make: [Makefile:356: check-config] Error 255 (ignored)- Set up VM using Ubuntu image & Vmware
- Set up VM for accessing to your Github repo:Github guidance
- Source code:https://roumenpetrov.info/secsh/download.html or https://gitlab.com/secsh/pkixssh Then input following commands
cd ~/project/ssh-demo
git init
git remote add ssh-client git@github.com:Det2sial/pkixssh-demo.git
git pull ssh-client master
git branch
git pull ssh-client peer
git checkout peer
- Install packages
sudo apt install build-essential
sudo apt install zlib1g-dev
sudo apt-get install libssl-dev
sudo apt-get install libpam0g-dev
# install pam- Install PKIXSSH
cd ~/project/ssh-demo/pkixssh-13.1
./configure --prefix=/opt --with-pamThe result will look like:
Example PAM control files can be found in the contrib/
subdirectoryInput following commands:
sudo make
sudo make installThe result will look like (the error is ignored):
Privilege separation user sshd does not exist
make: [Makefile:356: check-config] Error 255 (ignored)- Create CA dir
cd ~/project/ssh-demo/pki
rm -rf CA
mkdir ./CA
cd ./CA
mkdir certs conf private
chmod 700 private
echo '01' > serial
touch index.txt- Export the CA config file You need to change path in this config file
cp ~/project/ssh-demo/pki/openssl_ca.cnf ./conf
export OPENSSL_CONF=~/project/ssh-demo/pki/CA/conf/openssl_ca.cnf- Generate Root CA Cert You need to change subject name
# default value is not used since I use 'openssl req' instead of 'openssl ca'
cd ~/project/ssh-demo/pki/CA
openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -passout pass:Sweetroll -out cacert.pem -outform PEM -days 3650 \
-subj "/C=US/ST=Colorado/O=Grimer Softwork/OU=R&D/CN=Root"
cp cakey.pem ./private
cp cacert.pem ./certs
openssl x509 -in cacert.pem -text- Create peer dir
cd ~/project/ssh-demo/pki
rm -rf peer
mkdir peer
cd peer
mkdir certs conf private
chmod 700 private- Generate SSH key
ssh-keygen -t rsa -b 2048 -m PEM -f id_rsa_ssh_valid -N ""- Export the CA config file You need to change path in this config file
cp ~/project/ssh-demo/pki/openssl_usr.cnf ./conf
export OPENSSL_CONF=~/project/ssh-demo/pki/peer/conf/openssl_usr.cnf- Generate SSH key pair that can be used by PKIXSSH You need to change subject name
cd ~/project/ssh-demo/pki/peer
openssl req -new -key id_rsa_ssh_valid -out usrvalid.csr \
-subj "/C=US/ST=Colorado/O=Grimer Softwork/OU=R&D/CN=Peer"
openssl req -text -noout -in usrvalid.csr
openssl x509 -req -days 1825 -in usrvalid.csr -out usrvalid.crt -CA ~/project/ssh-demo/pki/CA/cacert.pem -CAkey ~/project/ssh-demo/pki/CA/cakey.pem -passin pass:Sweetroll -CAcreateserial
openssl x509 -in usrvalid.crt >> id_rsa_ssh_valid
ssh-keygen -y -f id_rsa_ssh_valid > id_rsa_ssh_valid.pub
cp id_rsa_ssh_valid ~/.ssh/- Check subject names
openssl x509 -noout -subject -in usrvalid.crt- On Server side:
Confirm settings
sudo nano /opt/etc/sshd_configMake sure it is
VAType nonealso remove host key
cd /opt/etc/
sudo rm /opt/etc/ssh_host_rsa_keyThen input
sudo /opt/sbin/sshd -d
#sudo kill -9 `sudo lsof -t -i:22`
- Copy CA cert to the server and creat authorized.keys file You may need to change hostname in the following command
sudo /opt/bin/scp -P 22 -i ~/.ssh/id_rsa_ssh_valid ~/project/ssh-demo/pki/CA/cacert.pem pi@192.168.0.153:~/project/ssh-demo/pki- On Server side: Once receievd CA cert, input:
cd /home/pi/project/ssh-demo/pki
lscd /home/pi/project/ssh-demo/pki
rm -rf CA
mkdir ./CA
cd ./CA
mkdir certs conf private
chmod 700 private
echo '01' > serial
touch index.txtcd /home/pi/project/ssh-demo/pki/CA
cp ~/project/ssh-demo/pki/cacert.pem ./- On Server side: Bind hash value and check
cd /opt/etc/ca
sudo rm -rf crt
sudo mkdir crt
cd ~/project/ssh-demo/pki
sudo cp cacert.pem /opt/etc/ca/crt
cd /opt/etc/ca/crt
sudo ln -s cacert.pem `openssl x509 -in cacert.pem -noout -hash`.0
ls -l- On Server side: config authorized_keys
cd /home/pi/project/ssh-demo/pki
sudo nano ~/.ssh/authorized_keys- On Server side: Type subject names (Same as in your user cert)
x509v3-sign-rsa subject= /C=US/ST=Colorado/O=Grimer Softwork/OU=R&D/CN=Peer- On Server side: Enable ssh service
Confirm settings
sudo nano /opt/etc/sshd_configMake sure it is
VAType noneThen run sshd
sudo /opt/sbin/sshd -d- On Client side: Clean the known hosts (delete the content)
sudo su
rm ~/.ssh/known_hosts
exit- On Client side: Connect with peer cert
sudo /opt/bin/ssh -i ~/.ssh/id_rsa_ssh_valid -p 22 pi@192.168.0.153 -vvv- On Client side: copy CA key and config (make sure ssh deamon is running on the server side)
sudo /opt/bin/scp -P 22 -i ~/.ssh/id_rsa_ssh_valid ~/project/ssh-demo/pki/CA/cakey.pem pi@192.168.0.153:~/project/ssh-demo/pki
sudo /opt/bin/scp -P 22 -i ~/.ssh/id_rsa_ssh_valid ~/project/ssh-demo/pki/{openssl_server,openssl_ca}.cnf pi@192.168.0.153:~/project/ssh-demo/pki
- On Server side: Generate server cert
cd ~/project/ssh-demo/pki/CA
cp ~/project/ssh-demo/pki/cacert.pem ./
cp ~/project/ssh-demo/pki/cakey.pem ./
cd ~/project/ssh-demo/pki
rm -rf ./server
mkdir server
cd server
mkdir certs conf private
chmod 700 private
- On Server side: Generate ssh key
cd ~/project/ssh-demo/pki/server
ssh-keygen -t rsa -b 2048 -m PEM -f server_rsa_ssh_valid -N ""- Export the server cert config file You need to change path in this config file
cd ~/project/ssh-demo/pki/server
cp ~/project/ssh-demo/pki/openssl_server.cnf ./conf
export OPENSSL_CONF=~/project/ssh-demo/pki/server/conf/openssl_server.cnf
- Generate Server cert
cd ~/project/ssh-demo/pki/server
openssl req -new -key server_rsa_ssh_valid -out servervalid.csr
openssl req -text -noout -in servervalid.csr
openssl x509 -req -days 1825 -in servervalid.csr -out servervalid.crt -CA ~/project/ssh-demo/pki/CA/cacert.pem -CAkey ~/project/ssh-demo/pki/CA/cakey.pem -passin pass:Sweetroll -CAcreateserial- Generate SSH key pair that can be used by PKIXSSH
You need to change subject name
cd ~/project/ssh-demo/pki/server
openssl x509 -in servervalid.crt >> server_rsa_ssh_valid
ssh-keygen -y -f server_rsa_ssh_valid > server_rsa_ssh_valid.pub- Copy key to host key path and remove other host keys
cd ~/project/ssh-demo/pki/server
sudo cp server_rsa_ssh_valid /opt/etc/ssh_host_rsa_key
cd /opt/etc/
sudo rm XXX XXX.pub # remove other host keys- On client side: delete know_hosts file!
sudo su
cd ~/.ssh
ls
rm known_hosts
exit- Make sure cacert.pem is on client side
cd /opt/etc/ca/
sudo rm -rf crt
ls
sudo mkdir crt
cd ~/project/ssh-demo/pki/CA
sudo cp ~/project/ssh-demo/pki/CA/cacert.pem /opt/etc/ca/crt
cd /opt/etc/ca/crt
sudo ln -s cacert.pem `openssl x509 -in cacert.pem -noout -hash`.0
ls- Connect to SSH server
sudo /opt/bin/ssh -i ~/.ssh/id_rsa_ssh_valid -p 22 pi@192.168.0.153 -v- On client side: Generate SSH key
cd ~/project/ssh-demo/pki/
rm -rf revCA
mkdir revCA
cd revCA
mkdir certs conf private
chmod 700 private
echo '01' > serial
echo '00' >revca.crlnum
touch index.txt- Export the CA config file
You need to change path in this config file
cd ~/project/ssh-demo/pki/revCA
cp ~/project/ssh-demo/pki/openssl_revca.cnf ./conf
export OPENSSL_CONF=~/project/ssh-demo/pki/revCA/conf/openssl_revca.cnf- Generate rev CA Cert
You need to change subject name
# default value is not used since I use 'openssl req' instead of 'openssl ca'
cd ~/project/ssh-demo/pki/revCA
openssl req -x509 -newkey rsa:2048 -keyout revcakey.pem -passout pass:Sweetroll -out revcacert.pem -outform PEM -days 3650 \
-subj "/C=US/ST=Colorado/O=Grimer Softwork/OU=R&D/CN=Rev Root"
cp revcakey.pem ./private
cp revcacert.pem ./certs
openssl x509 -in revcacert.pem -text- Generate empty CRL for CA cert
cd ~/project/ssh-demo/pki/revCA
mkdir crl
export OPENSSL_CONF=~/project/ssh-demo/pki/revCA/conf/openssl_revca.cnf
openssl ca -gencrl -out crl/revcacert.crl -key Sweetroll- check the content of the crl
cd ~/project/ssh-demo/pki/revCA
openssl crl -in crl/revcacert.crl -noout -text- Create rev peer dir
cd ~/project/ssh-demo/pki
rm -rf revpeer
mkdir revpeer
cd revpeer
mkdir certs conf private
chmod 700 private- Generate SSH key
ssh-keygen -t rsa -b 2048 -m PEM -f id_rsa_ssh_revpeer -N ""- Export the CA config file
You need to change path in this config file
cp ~/project/ssh-demo/pki/openssl_revusr.cnf ./conf
export OPENSSL_CONF=~/project/ssh-demo/pki/revpeer/conf/openssl_revusr.cnf- Generate SSH key pair that can be used by PKIXSSH
You need to change subject name
cd ~/project/ssh-demo/pki/revpeer
openssl req -new -key id_rsa_ssh_revpeer -out revpeer.csr \
-subj "/C=US/ST=Colorado/O=Grimer Softwork/OU=R&D/CN=Rev Peer"
openssl req -text -noout -in revpeer.csr
openssl x509 -req -days 1825 -in revpeer.csr -out revpeer.crt -CA ~/project/ssh-demo/pki/revCA/revcacert.pem -CAkey ~/project/ssh-demo/pki/revCA/revcakey.pem -passin pass:Sweetroll -CAcreateserial
openssl x509 -in revpeer.crt >> id_rsa_ssh_revpeer
ssh-keygen -y -f id_rsa_ssh_revpeer > id_rsa_ssh_revpeer.pub
cp id_rsa_ssh_revpeer ~/.ssh/- Check subject names
openssl x509 -noout -subject -in revpeer.crt- Verify root cert
cd ~/project/ssh-demo/pki/revCA
openssl verify -verbose -CAfile revcacert.pem ~/project/ssh-demo/pki/revpeer/revpeer.crt- On Server side: Input:
sudo /opt/sbin/sshd -d- Copy rev CA cert to the server and creat authorized.keys file
You may need to change hostname in the following command
sudo /opt/bin/scp -P 22 -i ~/.ssh/id_rsa_ssh_valid ~/project/ssh-demo/pki/revCA/revcacert.pem pi@192.168.0.153:~/project/ssh-demo/pki- On Server side: Once receievd CA cert, input:
cd /home/pi/project/ssh-demo/pki
ls- On Server side: Bind hash value and check
cd ~/project/ssh-demo/pki
sudo cp revcacert.pem /opt/etc/ca/crt
cd /opt/etc/ca/crt
sudo ln -s revcacert.pem `openssl x509 -in revcacert.pem -noout -hash`.0
ls -lremove crl
cd /opt/etc/ca
ls -l
sudo rm -rf crl
ls -l- On Server side: config authorized_keys
cd /home/pi/project/ssh-demo/pki
sudo nano ~/.ssh/authorized_keys- On Server side: Type subject names (Same as in your user cert)
x509v3-sign-rsa subject= /C=US/ST=Colorado/O=Grimer Softwork/OU=R&D/CN=Rev Peer- On Server side: Enable ssh service
sudo /opt/sbin/sshd -d- You should be able to login with rev peer cert
sudo /opt/bin/ssh -i ~/.ssh/id_rsa_ssh_revpeer -p 22 pi@192.168.0.153 -v- Revocation ( you will see *.crlnum.old and root-ca.crl in crl)
cd ~/project/ssh-demo/pki/revCA
openssl ca -revoke ~/project/ssh-demo/pki/revpeer/revpeer.crt -crl_reason keyCompromise -keyfile revcakey.pem -passin pass:Sweetroll -cert revcacert.pem- Refresh the Certificate Revocation List (CRL) every time after revoking a certificate:
cd ~/project/ssh-demo/pki/revCA
openssl ca -gencrl -out crl/revcacert.crl -keyfile revcakey.pem -passin pass:Sweetroll -cert revcacert.pem- Verify crl, it should show error 23: cert is revoked
cd ~/project/ssh-demo/pki/revCA
openssl crl -in crl/revcacert.crl -outform pem -out cacrl.pem
cat revcacert.pem cacrl.pem > revcacrl.pem
openssl verify -extended_crl -verbose -CAfile revcacrl.pem -crl_check ~/project/ssh-demo/pki/revpeer/revpeer.crt- send crl (with VALID!)
sudo /opt/bin/scp -P 22 -i ~/.ssh/id_rsa_ssh_valid ~/project/ssh-demo/pki/revCA/crl/revcacert.crl pi@192.168.0.153:~/project/ssh-demo/pki- On server side: Once receievd CA crl, input:
cd /home/pi/project/ssh-demo/pki
ls- On server side: copy CA crl to ca:
cd /opt/etc/ca/
sudo rm -rf crl
sudo mkdir crl
cd /home/pi/project/ssh-demo/pki
sudo cp revcacert.crl /opt/etc/ca/crl
cd /opt/etc/ca/crl
sudo ln -s revcacert.crl `openssl crl -in revcacert.crl -noout -hash`.r0
ls -l- On the Server side: should report revocation error
sudo /opt/bin/ssh -i ~/.ssh/id_rsa_ssh_revpeer -p 22 pi@192.168.0.153 -v- On server side: Create OCSP folder
cd /home/pi/project/ssh-demo/pki
rm -rf OCSP
mkdir OCSP
cd OCSP
mkdir certs conf private
chmod 700 private
echo '01' > serial
touch index.txt- On server side: Export CA config file
cd /home/pi/project/ssh-demo/pki/OCSP
cp ~/project/ssh-demo/pki/openssl_ocspca.cnf ./conf
*change the path and check this cnf before exportation*
# nano ~/project/ssh-demo/pki/OCSP/conf/openssl_ocspca.cnf
export OPENSSL_CONF=~/project/ssh-demo/pki/OCSP/conf/openssl_ocspca.cnf- On server side: Create a new key for the CA
cd /home/pi/project/ssh-demo/pki/OCSP
openssl req -new -x509 -keyout ocspcakey.pem -passout pass:Sweetroll -out ocspcacert.pem -days 365- On server side: Create a new key and CSR for the OCSP
cd /home/pi/project/ssh-demo/pki/OCSP
export OPENSSL_CONF=~/project/ssh-demo/pki/OCSP/conf/openssl_ocspca.cnf
openssl req -new -nodes -out ocsp.csr -keyout ocspkey.pem -passout pass:Sweetroll -subj "/C=US/ST=Colorado/O=Grimer Softwork/OU=R&D/CN=OCSP Responder"- On server side: Sign the OCSP CSR with the CA key
cd /home/pi/project/ssh-demo/pki/OCSP
export OPENSSL_CONF=~/project/ssh-demo/pki/OCSP/conf/openssl_ocspca.cnf
openssl ca -extensions ocspsign_ext -days 1825 -in ocsp.csr -out ocsp.pem -keyfile ocspcakey.pem -passin pass:Sweetroll -cert ocspcacert.pem
- On server side: Verify
openssl verify -CAfile ocspcacert.pem ocsp.pem- On client side: create OCSP folder
cd /home/grimer/project/ssh-demo/pki
rm -rf OCSP
mkdir OCSP
cd OCSPGenerate a client key and CSR
cd /home/grimer/project/ssh-demo/pki/OCSP
ssh-keygen -t rsa -b 2048 -m PEM -f id_rsa_ssh_ocsp -N ""
openssl req -new -key id_rsa_ssh_ocsp -out client.csr -keyout clientkey.pem -passin pass:Sweetroll -subj "/C=US/ST=Colorado/O=Grimer Softwork/OU=R&D/CN=OCSP Client"
- On server side: Confirm settings
sudo nano /opt/etc/sshd_configMake sure it is
VAType noneThen run sshd
sudo /opt/sbin/sshd -d- On client side: Send public key and CSR to server
cd /home/grimer/project/ssh-demo/pki/OCSP
sudo /opt/bin/scp -P 22 -i ~/.ssh/id_rsa_ssh_valid ./id_rsa_ssh_ocsp.pub ./client.csr pi@192.168.0.153:~/project/ssh-demo/pki/OCSP/- On server side: Sign the client CSR with the CA key
cd /home/pi/project/ssh-demo/pki/OCSP
openssl ca -extensions usr_cert -days 1825 -in client.csr -out client.pem -keyfile ocspcakey.pem -passin pass:Sweetroll -cert ocspcacert.pem
- On server side: Verify
openssl verify -CAfile ocspcacert.pem client.pem- On server side: Start the OCSP responder
cd /home/pi/project/ssh-demo/pki/OCSP
openssl ocsp -index index.txt -port 9999 -rsigner ocsp.pem -rkey ocspkey.pem -CA ocspcacert.pem
- Validate the client certificate
cd /home/pi/project/ssh-demo/pki/OCSP
openssl ocsp -CAfile ocspcacert.pem -issuer ocspcacert.pem -cert client.pem -url http://localhost:9999 -resp_text
- On server side: confirm
VAType none
sudo nano /opt/etc/sshd_config- Run sshd
sudo /opt/sbin/sshd -d- On client side: Get OCSP client certificate from the server
sudo /opt/bin/scp -P 22 -i ~/.ssh/id_rsa_ssh_valid pi@192.168.0.153:~/project/ssh-demo/pki/OCSP/client.pem ~/project/ssh-demo/pki/OCSP/
- On client side: Generate public key (with cert)
cd /home/grimer/project/ssh-demo/pki/OCSP
openssl x509 -in client.pem >> id_rsa_ssh_ocsp
ssh-keygen -y -f id_rsa_ssh_ocsp > id_rsa_ssh_ocsp.pubCopy private key to ~/.ssh
cp ~/project/ssh-demo/pki/OCSP/id_rsa_ssh_ocsp ~/.ssh/
# gedit ~/.ssh/id_rsa_ssh_ocsp- On server side: copy ocspca to ca path
cd /home/pi/project/ssh-demo/pki/OCSP
ls
sudo cp ocspcacert.pem /opt/etc/ca/crt
cd /opt/etc/ca/crt
sudo ln -s ocspcacert.pem `openssl x509 -in ocspcacert.pem -noout -hash`.0
ls -l- On server side: add public key
cd /home/pi/project/ssh-demo/pki
nano ~/.ssh/authorized_keysx509v3-sign-rsa subject= /C=US/ST=Colorado/O=Grimer Softwork/OU=R&D/CN=OCSP Client- On server side: Generate ca bundle
cd /home/pi/project/ssh-demo/pki/OCSP
cat ocspcacert.pem ocspcacert.pem > bundle.pemConfirm settings
sudo nano /opt/etc/sshd_configChange from
VAType noneto
VAType ocspspec
VAOCSPResponderURL http://localhost:9999
VACertificateFile /home/pi/project/ssh-demo/pki/OCSP/bundle.pem- On server side: Run OCSP responder
cd ~/project/ssh-demo/pki/OCSP
openssl ocsp -index index.txt -port 9999 -rsigner ocsp.pem -rkey ocspkey.pem -CA ocspcacert.pemThen run sshd
sudo /opt/sbin/sshd -d
#sudo killall sshd- On client side:
sudo /opt/bin/ssh -i ~/.ssh/id_rsa_ssh_ocsp -p 22 pi@192.168.0.153 -vvv- On server side: Revoke the original client certificate
export OPENSSL_CONF=~/project/ssh-demo/pki/OCSP/conf/openssl_ocspca.cnf
cd /home/pi/project/ssh-demo/pki/OCSP
openssl ca -revoke client.pem -keyfile ocspcakey.pem -passin pass:Sweetroll -cert ocspcacert.pem
- On client side: Start the OCSP responder
cd /home/pi/project/ssh-demo/pki/OCSP
openssl ocsp -index index.txt -port 9999 -rsigner ocsp.pem -rkey ocspkey.pem -CA ocspcacert.pem
- Validate the client certificate
cd /home/pi/project/ssh-demo/pki/OCSP
openssl ocsp -CAfile ocspcacert.pem -issuer ocspcacert.pem -cert client.pem -url http://localhost:9999 -resp_text- On server side: Run OCSP responder
cd /home/pi/project/ssh-demo/pki/OCSP
openssl ocsp -index index.txt -port 9999 -rsigner ocsp.pem -rkey ocspkey.pem -CA ocspcacert.pemThen run sshd
sudo /opt/sbin/sshd -d
#sudo killall sshd- On client side:
sudo /opt/bin/ssh -i ~/.ssh/id_rsa_ssh_ocsp -p 22 pi@192.168.0.153 -vvvReference: https://duo.com/docs/duounix
-
sign in to the DUO admin panel and choose 'protect an application', then click
unix applicationand get api key. -
On server side: install duo_unix
cd ~/project/ssh-demo/
rm -rf MFA
mkdir MFA
cd MFA
wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
tar zxf duo_unix-latest.tar.gz
cd duo_unix-1.11.4- Build and install
duo_unixwith PAM support (pam_duo).
cd /home/pi/project/ssh-demo/MFA/duo_unix-1.11.4
./configure --with-pam --prefix=/usr && make && sudo make install- Once
duo_unixis installed, edit/etc/duo/pam_duo.conf(in/etc/duoor/etc/security) to add the integration key, secret key, and API hostname from your Duo Unix application.
sudo nano /etc/duo/pam_duo.conf[duo]
; Duo integration key
ikey = INTEGRATION_KEY
; Duo secret key
skey = SECRET_KEY
; Duo API hostname
host = API_HOSTNAME- make the following changes to your
sshd_configfile
sudo nano /opt/etc/sshd_configPubkeyAuthentication yes
PasswordAuthentication noUsePAM yes
ChallengeResponseAuthentication yes
UseDNS no- set up PAM for SSH pub key
sudo nano /etc/pam.d/sshdconfirm
#@include common-auth
auth [success=1 default=ignore] pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.so- open ssh server
sudo /opt/sbin/sshd -d- on client side
sudo /opt/bin/ssh -p 22 pi@192.168.0.153 -vvv- check and install external libraries
sudo apt-get install libxml2-dev
sudo apt-get install libssh2-1
sudo apt-get install libncurses5-dev libncursesw5-dev
sudo apt install zlib1g-dev
sudo apt-get install libreadline-dev