Ssh: Difference between revisions
No edit summary |
No edit summary |
||
| Line 10: | Line 10: | ||
# -- COPY AND PASTE END -- | # -- COPY AND PASTE END -- | ||
* Control-D to disconnect and ssh back in to make sure it's working | * Control-D to disconnect and ssh back in to make sure it's working | ||
=== Clean room hardened config === | |||
If you're dealing with a machine that has some unknown ssh config, [https://cryptsus.com/blog/how-to-secure-your-ssh-server-with-public-key-elliptic-curve-ed25519-crypto.html reset it to hardened key auth] as follows. This is a good way to start in general, for completeness. | |||
==== Client ==== | |||
ssh-keygen -o -a 256 -t ed25519 -C "$(hostname)-$(date +'%d-%m-%Y')" | |||
#Make the .ssh directory unreadable for other users and groups | |||
chmod 700 ~/.ssh | |||
chmod 700 /home/$USER/.ssh | |||
#Make the private SSH key read only | |||
chmod 400 /home/$USER/.ssh/id_ed25519 | |||
chmod 400 ~/.ssh/id_ed25519 | |||
#Make the local $USER own the SSH key pair files | |||
chown $USER:$USER ~/.ssh/id_ed25519* | |||
chown $USER:$USER /home/$USER/.ssh/id_ed25519* | |||
==== Server ==== | |||
rm /etc/ssh/ssh_host_* #Delete old SSH keys | |||
rm ~/.ssh/id_* #Delete old SSH keys | |||
sudo dpkg-reconfigure openssh-server #Reset SSH config to defaults and generate new key files | |||
rm /home/$USER/.ssh/id_* #Delete old SSH keys | |||
vi /home/$USER/.ssh/authorized_keys #paste public key here | |||
cd /home/$USER/ && chmod g-w,o-w .ssh/ #The directory containing your .ssh directory must | |||
not be writeable by group or others | |||
chmod 600 /home/$USER/.ssh/authorized_keys #change permissions to r+w only for user | |||
service sshd restart #restart and reload keys into the SSH deamon | |||
=== Generate fresh keys === | === Generate fresh keys === | ||
Revision as of 16:27, 16 April 2021
Quickstart
- For any new host, you need to copy private key to .ssh and cat public key into .ssh/authorized_keys.
ssh newhost export GOODHOST=bitpost.com # -- YOU CAN COPY AND PASTE THIS -- mkdir -p .ssh cd .ssh scp $GOODHOST:.ssh/id_rsa* . cat id_rsa.pub >> authorized_keys # -- COPY AND PASTE END --
- Control-D to disconnect and ssh back in to make sure it's working
Clean room hardened config
If you're dealing with a machine that has some unknown ssh config, reset it to hardened key auth as follows. This is a good way to start in general, for completeness.
Client
ssh-keygen -o -a 256 -t ed25519 -C "$(hostname)-$(date +'%d-%m-%Y')" #Make the .ssh directory unreadable for other users and groups chmod 700 ~/.ssh chmod 700 /home/$USER/.ssh #Make the private SSH key read only chmod 400 /home/$USER/.ssh/id_ed25519 chmod 400 ~/.ssh/id_ed25519 #Make the local $USER own the SSH key pair files chown $USER:$USER ~/.ssh/id_ed25519* chown $USER:$USER /home/$USER/.ssh/id_ed25519*
Server
rm /etc/ssh/ssh_host_* #Delete old SSH keys rm ~/.ssh/id_* #Delete old SSH keys sudo dpkg-reconfigure openssh-server #Reset SSH config to defaults and generate new key files rm /home/$USER/.ssh/id_* #Delete old SSH keys vi /home/$USER/.ssh/authorized_keys #paste public key here cd /home/$USER/ && chmod g-w,o-w .ssh/ #The directory containing your .ssh directory must not be writeable by group or others chmod 600 /home/$USER/.ssh/authorized_keys #change permissions to r+w only for user service sshd restart #restart and reload keys into the SSH deamon
Generate fresh keys
- If you need a new identity, use this to generate the keys:
cd ~/.ssh ssh-keygen -t rsa -b 4096 -C moodboom@gmail.com chmod 400 id_rsa cat id_rsa.pub >> authorized_keys
Shortcut and Key organization
- Always set up shortcuts to get to hosts fast in .ssh/config; see common for example, it's used everywhere.
- You can use any file for key by specifying an [IdentityFile] in .ssh/config.
Enable X11 forwarding
- server: install xauth
- server: enable in /etc/ssh/sshd_config
- server: make sure you have an X environment installed (install of any X app will pull it in)
- client: set [ForwardX11Trusted yes] in /etc/ssh/ssh_config (no doesn't work)
- client: make sure you have an X server environment - on windows, use x2go
- if you need to become root after you have ssh'ed (for example to run wireshark), do this magic to patch in x authorization, oh yeah!
sudo su - [root ~]# touch .Xauthority [root ~]# xauth add $(xauth -f ~ec2-user/.Xauthority list|tail -1) [root ~]# xclock& # good to go!
NOTE: This step gets it going automatically, but that has messed with the ability to ssh/git through non-X servers like bitpost. Just use [ssh -Y] as needed.
- client: set [ForwardX11 yes] in /etc/ssh/ssh_config (in place of ssh -Y)
ProxyJump
You can set up a hostname configuration to jump directly through another machine if needed:
- make sure you are running ssh>=7.3 everywhere
- if you have to jump through Windows, Cygwin has a nice sshd that works out of the box for the most part, with ProxyJump capability.
- Ubuntu must be 17.04 or newer.
- configure a host shortcut AwsInstance from dmz to internet
- configure a host shortcut DmzHostfrom lab to dmx
- configure a host shortcut AwsInstanceJumpfrom lab to internet, with ProxyJump DmzHost