th.d

SSH

key creation

create keypair
# create eliptic curve ed25519
> ssh-keygen -t ed25519

# create 4096bit RSA key
> ssh-keygen -t rsa -b 4096

ssh config

~/.ssh/config
# specify host
Host webserver-1
  # set host address
  HostName 10.10.0.100
  # set port
  Port 2222
  # set username
  User foobert
  #  username
  IdentitiesOnly=yes
  # private key location
  IdentityFile /home/foobert/.ssh/privkey
  # hostkey options
  HostKeyAlgorithms ssh-rsa

ssh agent

ssh agent
# I put my agent conf in the .xinitrc file
> vi .xinitrc
  ...
  ssh-agent > ~/.ssh-agent
  source ~/.ssh-agent

# add key to agent
> ssh-add ~/.ssh/id_ed25519

# list all identities
> ssh-add -l

# remove identities
> ssh-add -d

# remove all identities
> ssh-add -D

ssh tunnel

tunnel
# port 5000 remote to port 8080 locally
> ssh -L 8080:127.0.0.1:5000 user@host

# port 5000 remote in interface 10.10.0.200 to port 8080 locally
> ssh -L 8080:10.10.0.200:5000 user@host

ssh server config

/etc/ssh/sshd_config
## use only version 2
Protocol 2

## specify ssh port
Port 2222

## hostkey places
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

## time to login
LoginGraceTime 60

## disable root login
PermitRootLogin no

## where authorized_keys are
AuthorizedKeysFile .ssh/authorized_keys

## pubkey authentication
PubkeyAuthentication yes

## disallow empty passwords
PermitEmptyPasswords no

## disallow passwords login
PasswordAuthentication no

## hide sensitiv information
##possible values are:DAEMON,	USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7
SyslogFacility AUTHPRIV

## loglevel
## possible values are:	QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3
LogLevel INFO

## allowed ssh login users
AllowUsers foobert

## use only ipv4
AddressFamily inet

## max retries
MaxAuthTries 3

## check file modes and ownership of the user files
StrictModes yes

## specifies that .rhosts and .shosts files will not be used in HostbasedAuthentication
IgnoreRhosts yes

## disallow look up the remote host name
UseDNS no

## disallow HostbasedAuthentication
HostbasedAuthentication no

## disables cause of key authentication
ChallengeResponseAuthentication no

## only key authentication is allowed
AuthenticationMethods publickey

## symmetric algorithms
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr

## message authentication codes
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

## host key types
HostKeyAlgorithms ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512

## symmetric key exchange algorithms
KexAlgorithms curve25519-sha256@libssh.org

## disalow forwarding X11
X11Forwarding no

## print date and time of the last user login
PrintLastLog yes

## keep alive packages disabled
TCPKeepAlive no

## use kernel sandbox mechanisms
UsePrivilegeSeparation sandbox

## using PAM is allowed cause of forcing passwd change at first login
UsePAM yes

## disable message of the day
PrintMotd no

## login message
Banner /etc/ssh/sshd-banner
Prev
Docker
Next
Ansible