Skip to main content

SSH ๐Ÿ”

Generalโ€‹

Generate a new ssh keyโ€‹

ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "mail@example.com"

Clientโ€‹

Permissionsโ€‹

  • Permissions on ssh folder and keys (source)

    • .ssh directory: 700 (drwx------)
    • public key (.pub file): 644 (-rw-r--r--)
    • private key (id_rsa): 600 (-rw-------)
    • lastly your home directory should not be writeable by the group or others (at most 755 (drwxr-xr-x)).

Serverโ€‹

SSH server hardeningโ€‹

  • sshd_config options (/etc/ssh/sshd_config)

    • disbale root login PermitRootLogin no
    • disable login with passwords PasswordAuthentication no
    • use public key authentication over passwords AuthorizedKeysFile .ssh\/authorized_keys
    • disable X11 Forwarding X11Forwarding no
    • disable Tcp forwarding AllowTcpForwarding no
    • disable agent forwarding AllowAgentForwarding no
    • limit auth tries MaxAuthTries 2
    • restrict which users are allowed to log in with ssh AllowUsers <user>
    • enforce strong ciphers and protocol version
      • specify strong ciphers Ciphers aes256-ctr,aes192-ctr,aes128-ctr
      • specify strong MAC algorithms MACs hmac-sha2-256,hmac-sha2-512
      • enforce the use of SSH-2 Protocol 2
info

After making changes to /etc/ssh/sshd_config, remember to restart the SSH service to apply the changes:

sudo systemctl restart sshd

automating via cloud-initโ€‹

Can also be used in a cloud-init script

 runcmd:
  - sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)AllowUsers/s/^.*$/AllowUsers <user>/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)Protocol/s/^.*$/Protocol 2/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)Ciphers/s/^.*$/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config
  - sed -i -e '/^\(#\|\)MACs/s/^.*$/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/sshd_config