Introduce
OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.
Securing OpenSSH
SSHd config: /etc/ssh/sshd_config
Restart SSHd:
service sshd restart
Disable Root Logins
# Prevent root logins:
PermitRootLogin no
Limit User Logins
AllowUsers alice bob
Disable Protocol 1
# Protocol 2,1
Protocol 2
CA
$ ssh-keygen -f server_ca
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in server_ca.
Your public key has been saved in server_ca.pub.
The key fingerprint is:
SHA256:IRk7bvTPw7wkFXWVY8BoxxRpedhQ2rUqeBTX2B8V7AU hatterjiang@HatterJiangs-MacBook-Pro.local
The key's randomart image is:
+---[RSA 2048]----+
| . .**E=B|
| + +o@o@+|
| * . o.o.+o=|
| o + .o. ...|
| o S..o . |
| . *. . |
| . B |
| o o |
| . |
+----[SHA256]-----+
$ ls -l
total 16
-rw------- 1 hatterjiang staff 1675 Jul 8 03:12 server_ca
-rw-r--r-- 1 hatterjiang staff 424 Jul 8 03:12 server_ca.pub
$ ssh-keygen -s server_ca -I host_auth_server -h -n test.example.com -V +52w user_key.pub
Signed host key user_key-cert.pub: id "host_auth_server" serial 0 for test.example.com valid from 2016-07-08T03:14:00 to 2017-07-07T03:14:59
$ ls -l
total 40
-rw------- 1 hatterjiang staff 1675 Jul 8 03:12 server_ca
-rw-r--r-- 1 hatterjiang staff 424 Jul 8 03:12 server_ca.pub
-rw------- 1 hatterjiang staff 1679 Jul 8 03:14 user_key
-rw-r--r-- 1 hatterjiang staff 1377 Jul 8 03:14 user_key-cert.pub
-rw-r--r-- 1 hatterjiang staff 424 Jul 8 03:14 user_key.pub
FIDO
From OpenSSH 8.2 which released on 2020-02-14 supports FIDO/U2F.
Linux releases uses OpenSSH 8.2:
- Ubuntu 20.04
Simple SSH server supports FIDO-U2F h
$ ssh -p 2222 root@hatter.ink
Confirm user presence for key ECDSA-SK SHA256:+1wf4m+3FrZz5N9uvq4JkeCw69n2G3h6V7ymHC6GLlc
User presence confirmed
, . . .
| . | | |
| ) ) ,-. | ,-. ,-. ;-.-. ,-. |- ,-.
|/|/ |-' | | | | | | | |-' | | |
' ' `-' ' `-' `-' ' ' ' `-' `-' `-'
. . . . ,-.
`. | | | | ' ( `
--- > |--| ,-: |- |- ,-. ;-. ,-. `-. ,-. ;-. . , ,-. ;-.
,' | | | | | | |-' | `-. . ) |-' | |/ |-' |
' ' `-` `-' `-' `-' ' `-' `-' `-' ' ' `-' '
[root@hatter simple-ssh-server]#
Reference
- h
t - ssh-cert-authorityt p s : / / g i t h u b . c o m / c l o u d t o o l s / s s h - c e r t - a u t h o r i t y - h
t - ssh-cat p s : / / g i t h u b . c o m / c l o u d t o o l s / s s h - c a - h
t - How To Create an SSH CA to Validate Hosts and Clients with Ubuntut p s : / / w w w . d i g i t a l o c e a n . c o m / c o m m u n i t y / t u t o r i a l s / h o w - t o - c r e a t e - a n - s s h - c a - t o - v a l i d a t e - h o s t s - a n d - c l i e n t s - w i t h - u b u n t u - h
t - How to Harden SSH with Identities and Certificatest p s : / / e f . g y / h a r d e n i n g - s s h - h
t - Enhanced SSH and FIDO authentication in Ubuntu 20.04 LTSt p s : / / u b u n t u . c o m / b l o g / e n h a n c e d - s s h - a n d - f i d o - a u t h e n t i c a t i o n - i n - u b u n t u - 2 0 - 0 4 - l t s - h
t - Securing OpenSSHt p s : / / w i k i . c e n t o s . o r g / H o w T o s / N e t w o r k / S e c u r i n g S S H