Hi, let me know if there are any problems, hope it helps someone.
This site has really helped me, Thanks one and all.
UPDATE- Re-written sshd section adding comments.
++++++++++++++++++++++++++++++++++++++++++++++++++++
Installing and securing sshd
==============================
Install ssh openssh
Edit /etc/ssh/sshd_conf
# change or add these options
#This will disable ssh protocol 1, breaking compatibility with some clients and rendering version 1 options ineffective
#I have not included the v1 options here.
#Both of my clients support Protocol Version 2, we will disable version 1.
Protocol 2
# Replace 10.0.90.23 with your ip address
# Run sudo ifconfig -a
ListenAddress 10.0.90.23
# Replace 55222 with port number, one not in use up to 65535. This will help to stop automated attacks against ssh on port 22
# We can also specify -p on the command line which will override this and make sshd run on a specific port
#/usr/sbin/sshd -p 55229
Port 55222
#I am using IPv4 on 1 network adaptor, replace 10.0.90.23 with your ip address
#This binds sshd to just one ip address, by default sshd listens on all network addresses using both IP versions 4 & 6,
#we can restrict it to IPv4 by doing this. (This breaks IPv6 compatability)
ListenAddress 10.0.90.23
AddressFamily inet
Logging
#man syslog.conf for more information on syslog
#The defaults are fine for our needs
SyslogFacility AUTH
LogLevel INFO
#The server will give you 1 minute to enter your passphrase sucessfully before disconnecting the session.
LoginGraceTime 1m
#Disables root login
#Can enforce further by adding root to DenyUsers option, and by adding any account but root to the AllowUsers option
# (See Below) for using forced commands with keys for root
PermitRootLogin no
#This will make sshd check the users home directory for the correct file permissions and owners before allowing a log in.
#You can do this by running as a user "chmod -R o-w ~"
StrictModes yes
#This uses .rhosts/.shosts and /etc/host.equiv and trusts a file that can be manipulated by a user, .rhosts, we set this to no.
#See rhosts below
HostBasedAuthentication no
#######################################################################
.rhosts
2 hosts
192.168.1.2 -user bob
192.168.1.3 -user sub
#Very basically this means that as a user on a machine you can supply a file (.rhosts .shosts /etc/equiv) on 192.168.1.2
#containing the machines and usernames that a remote user can use to log onto the local machine without a password.
#Example 1 .rhosts placed in bobs home directory on 192.168.1.2
192.168.1.3 bob
#would allow bob to log in from 192.168.1.3 as the user bob on 192.168.1.2
#Example 2
192.168.1.3 sub
#would allow sub to log in from 192.168.1.3 as the user bob on 192.168.1.2
#Example 3
+ bob
#would allow the user bob to log in from any host as user bob on 192.168.1.2
#Example 4
++
#would allow any user on any host to log in as user bob on 192.168.1.2
All without a password!
#########################################################################
#Ignores users ~/.ssh/known_hosts
IgnoreUserKnownHosts yes
#Maximum login attempts per connection before disconnection
MaxAuthTries 4
#This will allow you to log into an account using a public-key
PubkeyAuthentication yes
#This will allow you to log into an account using a password, (we will leave this as yes for now).
#changing this to no will stop any account logging in with a password.
PasswordAuthentication yes
#When the PasswordAuthentication above is set to yes this option will deny account login with a blank password
PermitEmptyPasswords no
# This is the path to the authorized_keys file, containing your public-key.
# bob /home/bob/.ssh/authorized_keys
# root /root/.ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#This will disable tcp forwarding (not a solution but it removes it from this configuration)
AllowTcpForwarding no
#If port forwarding must be used then use the PermitOpen to allow cetain destination hosts
#I have a network camera on 10.0.90.7
PermitOpen 10.0.90.7
#This disables X forwarding so ssh -X or -Y will not work.
X11Forwarding no
#This prints /etc/motd on connection
PrintMotd no
#This option will print the date and time and ip address of the last login
PrintLastLog no
#This is the default,
#TcpKeepAlive is to detect a dead connection.
TCPKeepAlive yes
####################################################
# DENY USERS,ALLOW USERS, DENY GROUPS. ALLOW GROUPS,
# Default is all users and groups are allowed
# The are processed in the order above
# This option allows you to add users or username patterns and even hosts that are allowed to log in via ssh
# ONLY THESE users+hosts we will now call patterns will be allowed to log in via ssh.*
# EXAMPLE OF PATTERNS, wildcards * are accepted so.....
AllowUsers slack*
# Would allow usernames slack followed by any combination, so slackbob, slackbob4, slacksubgenius, slacksubgenius6, slackwarerocks
# all to log in via any host.
Allow Users slack*@192.168.1.2
# Would allow login for the same username pattern as above, but this time only from host 192.168.1.2
AllowUsers slack*@192.168.1.*
# would all the same usernames as above and allow them to attempt to login from any machine on your lan (assuming 192.168.1.* address)
# For multiple entries seperate with space
AllowUsers slack*@192.168.1.* slack*@216.9.*.* bob* root@216.9.*.*
# would allow the same pattern as above but also from an external host pattern 216.9.*.* as well (my mobile phone provider)
# and the username pattern bob so bobdodds, bob, bobittybob and root could all log in from any Host Pattern.
##########################################################################
#change USERNAME to your username and host combination.
AllowUsers USERNAME
DenyUsers root
#
UsePrivilegeSeparation yes
sudo /etc/init.d/ssh restart
On The Client
============
#Generate Key
ssh-keygen -t rsa
#Press enter for defaut location
add passphrase #If left blank then no passphrase is required, which is great for scripting
repeat passphrase #but not as secure.
#Copy Key To SSH Sever
# Replacing 55222 with sshd port you have decided to use in sshd_conf above, 10.0.90.23 with ip of your ssh server
# and USERNAME with your username on the ssh server
scp -P 55222 .ssh/id_rsa.pub
USERNAME@10.0.90.23:/home/USERNAME/.ssh/authorized_keys
# enter password
#To test
ssh -p 55222 USERNAME@10.0.90.23
#enter passphrase this time
#Stay logged in, continued below
On Server
===============
#Setting permissions
# continued from above
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys*
Edit /etc/ssh/sshd_conf
Change PasswordAuthentication yes
To PasswordAuthentication no
#Save and exit
sudo /etc/init.d/ssh restart
exit # to exit ssh session