Difference between revisions of "SSH"
(Publish SSHFP records) |
(VerifyHostKeyDNS) |
||
Line 47: | Line 47: | ||
4 2 5D0511B19FCD0C2793EEDA983F0A8EE70CC4868B98B6D2E67F3B97DF 8E480762 | 4 2 5D0511B19FCD0C2793EEDA983F0A8EE70CC4868B98B6D2E67F3B97DF 8E480762 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | Now you can configure your client to [[#Verify published server key|use your published keys]]. | ||
=== Restart === | === Restart === | ||
Line 78: | Line 80: | ||
$ ssh-keygen -t rsa -b 4096 -o -a 100 | $ ssh-keygen -t rsa -b 4096 -o -a 100 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | ==== Verify published server key ==== | ||
+ | Make sure your server has some [[#Publish server keys|published keys]]. | ||
+ | |||
+ | Edit file <code>/etc/ssh/ssh_config</code> and add the line | ||
+ | <syntaxhighlight lang="ini"> | ||
+ | VerifyHostKeyDNS yes | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
[[Category:Install]] | [[Category:Install]] | ||
[[Category:Fail2Ban]] | [[Category:Fail2Ban]] |
Revision as of 17:24, 6 February 2016
Warning: | These instructions were only tested on Debian. It will probably work for other Linux distributions, but you might need to adapt the provided instructions. |
Warning: | This page is a work in progress and is not completed. Important informations might be missing or wrong. |
Server
Install
# apt install openssh-server
Configure
Generate server keys
# cd /etc/ssh
# rm ssh_host_*key*
# ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ""
# ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N ""
Modify file /etc/ssh/sshd_config
and make sure that the only lines to contains HostKey are:
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
Publish server keys
It is possible to publish the fingerprint of your ssh server keys in a DNS server. It allows to not have to blindly trust the key on first connection.
To get the records to publish in your dns server, run
$ cd /etc/ssh
$ ssh-keygen -r $(hostname)
myserver.example.com IN SSHFP 1 1 1c47eee032179719595c8461adba051d4a00dc8f
myserver.example.com IN SSHFP 1 2 7371839b62ce52ede97a9598eea0f253e1d58f88f45a8a40e05c34a846dc2e81
myserver.example.com IN SSHFP 4 1 80aae333ad47851f788d3d9bddd87e489f8c18f8
myserver.example.com IN SSHFP 4 2 5d0511b19fcd0c2793eeda983f0a8ee70cc4868b98b6d2e67f3b97df8e480762
Once published, you can check you records with
$ dig +short -t SSHFP myserver.example.com | sort
1 1 1C47EEE032179719595C8461ADBA051D4A00DC8F
1 2 7371839B62CE52EDE97A9598EEA0F253E1D58F88F45A8A40E05C34A8 46DC2E81
4 1 80AAE333AD47851F788D3D9BDDD87E489F8C18F8
4 2 5D0511B19FCD0C2793EEDA983F0A8EE70CC4868B98B6D2E67F3B97DF 8E480762
Now you can configure your client to use your published keys.
Restart
Restarting the SSH server while connected through SSH is usually safe. However, you need to take some precautions to avoid being locked out of your server. Make sue you do that from a stable internet connection: in case your SSH server doesn't restart correctly, you don't want your active SSH connection to drop while you fix the issue.
# systemctl restart ssh
If you are connected through SSH, test that your server restarting correctly by opening a second connection
$ ssh -o "ControlMaster=yes" myserver.example.com
The -o "ControlMaster=yes"
option prevents the SSH client from reusing your active connection in case you have multiplexing enabled.
Fail2ban
Fail2ban configuration for ssh is active by default in Debian. However, if you changed the listening port of your server, you must reflect that in fail2ban. To do so, create file /etc/fail2ban/jail.d/sshd.conf
with the following content
[sshd]
enabled = true
port = 2200 ; <= Set the port here
Client
Install
# apt install openssh-client
Configure
For more information check secure secure shell from strikiba.
Generate user keys
This needs to be run by all users. It is strongly recommended to set a password to your keys. A passwordless keyfile is as secure as a post-it on the wall with your password. If a script need unattended access to another machine, create dedicated accounts and key for that usage.
$ ssh-keygen -t ed25519 -o -a 100
$ ssh-keygen -t rsa -b 4096 -o -a 100
Verify published server key
Make sure your server has some published keys.
Edit file /etc/ssh/ssh_config
and add the line
VerifyHostKeyDNS yes