Ssh

From Bitpost wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Quickstart

  • For any new host, you need to copy private key to .ssh and cat public key into .ssh/authorized_keys.
ssh newhost
export GOODHOST=bitpost.com
# -- YOU CAN COPY AND PASTE THIS --
mkdir -p .ssh
cd .ssh
scp $GOODHOST:.ssh/id_ed25519* .
cat id_ed25519.pub >> authorized_keys
# -- COPY AND PASTE END --
  • Control-D to disconnect and ssh back in to make sure it's working

Upgrading a system with an old key

When I start using a new key, and deprecating the old, older systems will stop being "connectable". To fix:

  • From the proxmox console, edit sshd to allow passwords again:
sudo emacs -nw /etc/ssh/sshd_config # and comment out the PasswordAuthentication block
 # MDM It's 2018, time to turn off password auth.
 #PasswordAuthentication no
 #ChallengeResponseAuthentication no
 #UsePAM no
sudo service ssh restart
  • Connect to it from a host with the new key
  • Using two terminals, copy/paste the newer key into place, and remove the old
  • Undo sshd changes and verify you can connect
  • Fix ~/.ssh/config to point to the new key. This gets tricky bc you must change the file that has also been changed upstream.
emacs ~/.ssh/config # change key
cd development/config
git commit -a -m "Fix (host) config"
git pull # and fix merge up
git push

Clean room hardened config

If you're dealing with a machine that has some unknown ssh config, reset it to hardened key auth as follows. This is a good way to start in general, for completeness.

Client

ssh-keygen -o -a 256 -t ed25519 -C "$(hostname)-$(date +'%d-%m-%Y')"
#Make the .ssh directory unreadable for other users and groups
chmod 700 ~/.ssh			
chmod 700 /home/$USER/.ssh	 		
#Make the private SSH key read only
chmod 400 /home/$USER/.ssh/id_ed25519 
chmod 400 ~/.ssh/id_ed25519 				 	    	
#Make the local $USER own the SSH key pair files
chown $USER:$USER ~/.ssh/id_ed25519*		 
chown $USER:$USER /home/$USER/.ssh/id_ed25519*

Server

sudo rm /etc/ssh/ssh_host_*                  #Delete old SSH keys
rm ~/.ssh/id_*                               #Delete old SSH keys
sudo dpkg-reconfigure openssh-server         #Reset SSH config to defaults and generate new key files
rm /home/$USER/.ssh/id_*                     #Delete old SSH keys
vi /home/$USER/.ssh/authorized_keys          #paste public key here
cd /home/$USER/ && chmod g-w,o-w .ssh/       #The directory containing your .ssh directory must not be writeable by group or others
chmod 600 /home/$USER/.ssh/authorized_keys   #change permissions to r+w only for user
sudo service sshd restart                    #restart and reload keys into the SSH deamon

Generate fresh keys

  • If you need a new identity, use this to generate the keys:
cd ~/.ssh 
# use ed25519, the newest cipher, it's smaller, performs better AND more secure
ssh-keygen -t ed25519 -C moodboom@gmail.com
chmod 400 id_rsa
cat id_rsa.pub >> authorized_keys

Shortcut and Key organization

  • Always set up shortcuts to get to hosts fast in .ssh/config; see common for example, it's used everywhere.
  • You can use any file for key by specifying an [IdentityFile] in .ssh/config.

Enable X11 forwarding

  • server: install xauth
  • server: enable in /etc/ssh/sshd_config
  • server: make sure you have an X environment installed (install of any X app will pull it in)
  • client: set [ForwardX11Trusted yes] in /etc/ssh/ssh_config (no doesn't work)
  • client: make sure you have an X server environment - on windows, use x2go
  • if you need to become root after you have ssh'ed (for example to run wireshark), do this magic to patch in x authorization, oh yeah!
sudo su -
[root ~]# touch .Xauthority
[root ~]# xauth add $(xauth -f ~ec2-user/.Xauthority list|tail -1)
[root ~]# xclock& # good to go!

NOTE: This step gets it going automatically, but that has messed with the ability to ssh/git through non-X servers like bitpost. Just use [ssh -Y] as needed.

  • client: set [ForwardX11 yes] in /etc/ssh/ssh_config (in place of ssh -Y)

ProxyJump

You can set up a hostname configuration to jump directly through another machine if needed:

  • make sure you are running ssh>=7.3 everywhere
    • if you have to jump through Windows, Cygwin has a nice sshd that works out of the box for the most part, with ProxyJump capability.
    • Ubuntu must be 17.04 or newer.
  • configure a host shortcut AwsInstance from dmz to internet
  • configure a host shortcut DmzHostfrom lab to dmx
  • configure a host shortcut AwsInstanceJumpfrom lab to internet, with ProxyJump DmzHost
Retrieved from "https://bitpost.com/w/index.php?title=Ssh&oldid=7049"