Setting up SSHD

Authorized Keys

workstation

cat ~/.ssh/id_ed25519.pub

target server

mkdir ~/.ssh/
chmod 700 ~/.ssh/
vi ~/.ssh/authorized_keys

(paste your pub key)

chmod 600 ~/.ssh/authorized_keys

Requirement

ubuntu/debian (you’re good already with slackware and bsds)

groupadd wheel
usermod -aG wheel root
usermod -aG wheel ADMIN-USER
usermod -d root
usermod -d ADMIN-USER
grep ^wheel /etc/group

or in case you need to provide ssh to non-superusers, netbsd (no -a needed),

useradd -D -s /bin/ksh
useradd -m -g users NON-SUPERUSER
groupadd ssh
usermod -G ssh root
usermod -G ssh NON-SUPERUSER

Setup

ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub > /etc/ssh/ssh_host_ed25519_key.pub.sha256
cat /etc/ssh/ssh_host_ed25519_key.pub
cat /etc/ssh/ssh_host_ed25519_key.pub.sha256

mv -i /etc/ssh/sshd_config /etc/ssh/sshd_config.dist
grep -vE '^[[:space:]]*(#|$)' /etc/ssh/sshd_config.dist > /etc/ssh/sshd_config
cat >> /etc/ssh/sshd_config <<-EOF

AddressFamily inet
#ListenAddress x.x.x.x
#AllowUsers root@CLIENT-IP gollum@CLIENT2 *@CIDR
Protocol 2
Port 2222
AllowGroups wheel
#AllowGroups ssh
PermitRootLogin without-password
PasswordAuthentication no
PermitEmptyPasswords no
StrictModes yes
X11Forwarding no
ChallengeResponseAuthentication no
UsePam no
UseDNS no
HostKey /etc/ssh/ssh_host_ed25519_key
PrintMotd no
UsePrivilegeSeparation sandbox
EOF
vi /etc/ssh/sshd_config

check

sshd -t
echo $?

not on slackware

#UsePam no

deprecated on netbsd, debian and ubuntu

RSAAuthentication
UsePrivilegeSeparation

deprecated on rhel7 and slackware142

RSAAuthentication

Operations

NetBSD

tail -F /var/log/authlog
vi /etc/rc.conf

sshd=yes

service sshd restart
netstat -an -f inet,inet6

Debian / Ubuntu Server

tail -n0 -F /var/log/*
systemctl status ssh
#systemctl enable ssh
systemctl restart ssh
netstat -lntupe

RHEL7

systemctl restart sshd

Fail-Over

Create a failover config with other PORT and PID,

cp -pi sshd_config sshd_config.failover
vi  sshd_config.failover

Port ALT_PORT
PidFile /var/run/sshd.failover.pid

Start the daemon,

ls -lhF /var/run/sshd*
/usr/sbin/sshd -f /etc/ssh/sshd_config.failover
ps aux | grep failover
netstat -antupe --inet --inet6 | grep ALT_PORT

and enable it at startup (rc.local still works on CentOS7),

cd /etc/
cp -pi rc.local rc.local.dist
vi rc.local

echo -n starting a failover ssh daemon...
/usr/sbin/sshd -f /etc/ssh/sshd_config.failover && echo done

#no need to make it executable

Miscellaneous

Open ALT_PORT to listen on the network interface (CentOS7+ example),

firewall-cmd --zone=public --add-port=ALT_PORT/tcp --permanent

Resources

Using Ed25519 for OpenSSH keys (instead of DSA/RSA/ECDSA) https://linux-audit.com/using-ed25519-openssh-keys-instead-of-dsa-rsa-ecdsa/

sshd_config - SSH Server Configuration https://www.ssh.com/ssh/sshd_config/

Limit SSH access to specific clients by IP address https://unix.stackexchange.com/questions/406245/limit-ssh-access-to-specific-clients-by-ip-address


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml