SSH ๐
Generalโ
Generate a new ssh keyโ
ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "mail@example.com"
Clientโ
Permissionsโ
-
Permissions on ssh folder and keys (source)
.ssh
directory:700 (drwx------)
- public key (
.pub
file):644 (-rw-r--r--)
- private key (
id_rsa
):600 (-rw-------)
- lastly your home directory should not be writeable by the group or others (at most
755 (drwxr-xr-x)
).
Serverโ
SSH server hardeningโ
-
sshd_config options (
/etc/ssh/sshd_config
)- disbale root login
PermitRootLogin no
- disable login with passwords
PasswordAuthentication no
- use public key authentication over passwords
AuthorizedKeysFile .ssh\/authorized_keys
- disable X11 Forwarding
X11Forwarding no
- disable Tcp forwarding
AllowTcpForwarding no
- disable agent forwarding
AllowAgentForwarding no
- limit auth tries
MaxAuthTries 2
- restrict which users are allowed to log in with ssh
AllowUsers <user>
- enforce strong ciphers and protocol version
- specify strong ciphers
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
- specify strong MAC algorithms
MACs hmac-sha2-256,hmac-sha2-512
- enforce the use of SSH-2
Protocol 2
- specify strong ciphers
- disbale root login
info
After making changes to /etc/ssh/sshd_config
, remember to restart the SSH service to apply the changes:
sudo systemctl restart sshd
automating via cloud-initโ
Can also be used in a cloud-init script
runcmd:
- sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)AllowUsers/s/^.*$/AllowUsers <user>/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)Protocol/s/^.*$/Protocol 2/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)Ciphers/s/^.*$/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config
- sed -i -e '/^\(#\|\)MACs/s/^.*$/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/sshd_config