OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.

SSHd config: /etc/ssh/sshd_config

Restart SSHd:

service sshd restart 

Disable Root Logins

# Prevent root logins:
PermitRootLogin no

Limit User Logins

AllowUsers alice bob

Disable Protocol 1

# Protocol 2,1
Protocol 2

$ ssh-keygen -f server_ca
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in server_ca.
Your public key has been saved in server_ca.pub.
The key fingerprint is:
SHA256:IRk7bvTPw7wkFXWVY8BoxxRpedhQ2rUqeBTX2B8V7AU hatterjiang@HatterJiangs-MacBook-Pro.local
The key's randomart image is:
+---[RSA 2048]----+
|      .    .**E=B|
|       +   +o@o@+|
|      * . o.o.+o=|
|     o + .o.  ...|
|      o S..o .   |
|     .   *. .    |
|        . B      |
|         o o     |
|          .      |
+----[SHA256]-----+

$ ls -l
total 16
-rw-------  1 hatterjiang  staff  1675 Jul  8 03:12 server_ca
-rw-r--r--  1 hatterjiang  staff   424 Jul  8 03:12 server_ca.pub


$ ssh-keygen -s server_ca -I host_auth_server -h -n test.example.com -V +52w user_key.pub 
Signed host key user_key-cert.pub: id "host_auth_server" serial 0 for test.example.com valid from 2016-07-08T03:14:00 to 2017-07-07T03:14:59

$ ls -l
total 40
-rw-------  1 hatterjiang  staff  1675 Jul  8 03:12 server_ca
-rw-r--r--  1 hatterjiang  staff   424 Jul  8 03:12 server_ca.pub
-rw-------  1 hatterjiang  staff  1679 Jul  8 03:14 user_key
-rw-r--r--  1 hatterjiang  staff  1377 Jul  8 03:14 user_key-cert.pub
-rw-r--r--  1 hatterjiang  staff   424 Jul  8 03:14 user_key.pub

From OpenSSH 8.2 which released on 2020-02-14 supports FIDO/U2F.

Linux releases uses OpenSSH 8.2:

  • Ubuntu 20.04

Simple SSH server supports FIDO-U2F https://git.hatter.ink/hatter/simple-ssh-server, login sample:

$ ssh -p 2222 root@hatter.ink
Confirm user presence for key ECDSA-SK SHA256:+1wf4m+3FrZz5N9uvq4JkeCw69n2G3h6V7ymHC6GLlc
User presence confirmed
,   .     .                     .                                    
| . |     |                     |                                    
| ) ) ,-. | ,-. ,-. ;-.-. ,-.   |-  ,-.                              
|/|/  |-' | |   | | | | | |-'   |   | |                              
' '   `-' ' `-' `-' ' ' ' `-'   `-' `-'                              

          .  .     .   .                   ,-.                      
    `.    |  |     |   |           '       (   `                     
---   >   |--| ,-: |-  |-  ,-. ;-.   ,-.    `-.  ,-. ;-. . , ,-. ;-. 
    ,'    |  | | | |   |   |-' |     `-.   .   ) |-' |   |/  |-' |   
          '  ' `-` `-' `-' `-' '     `-'    `-'  `-' '   '   `-' '   

[root@hatter simple-ssh-server]# 

  1. https://github.com/cloudtools/ssh-cert-authority - ssh-cert-authority
  2. https://github.com/cloudtools/ssh-ca - ssh-ca
  3. https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu - How To Create an SSH CA to Validate Hosts and Clients with Ubuntu
  4. https://ef.gy/hardening-ssh - How to Harden SSH with Identities and Certificates
  5. https://ubuntu.com/blog/enhanced-ssh-and-fido-authentication-in-ubuntu-20-04-lts - Enhanced SSH and FIDO authentication in Ubuntu 20.04 LTS
  6. https://wiki.centos.org/HowTos/Network/SecuringSSH - Securing OpenSSH
  7. https://iximiuz.com/en/posts/ssh-tunnels/ - A Visual Guide to SSH Tunnels: Local and Remote Port Forwarding