Setting up SSHD

Authorized Keys

workstation

cat ~/.ssh/id_ed25519.pub

target server

mkdir ~/.ssh/
chmod 700 ~/.ssh/
vi ~/.ssh/authorized_keys

(paste your pub key)

chmod 600 ~/.ssh/authorized_keys

Requirement

ubuntu/debian (you’re good already with slackware and bsds)

grep ^wheel /etc/group
groupadd wheel
usermod -aG wheel root
#usermod -aG wheel ADMIN-USER

Setup

ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub > /etc/ssh/ssh_host_ed25519_key.pub.sha256
cat /etc/ssh/ssh_host_ed25519_key.pub
cat /etc/ssh/ssh_host_ed25519_key.pub.sha256

warning – openssh-8.7p1-x86_64-1 switches to

#ChallengeResponseAuthentication no
KbdInteractiveAuthentication no

we prefer AES over CHACHA20 as it has hardware acceleration

mv -i /etc/ssh/sshd_config /etc/ssh/sshd_config.dist
grep -vE '^[[:space:]]*(#|$)' /etc/ssh/sshd_config.dist > /etc/ssh/sshd_config.clean
grep -vE '^[[:space:]]*(#|$)' /etc/ssh/sshd_config.dist > /etc/ssh/sshd_config
ls -lF /usr/lib/openssh/sftp-server # ubuntu
ls -lF /usr/libexec/sftp-server # netbsd slackware freebsd
ls -lF /lib/ssh/sftp-server # sabotage
vi /etc/ssh/sshd_config

AllowGroups wheel
AuthenticationMethods publickey
AuthorizedKeysFile .ssh/authorized_keys
HostKey /etc/ssh/ssh_host_ed25519_key
KbdInteractiveAuthentication no
MaxAuthTries 3
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin prohibit-password
Port 2222
PrintMotd no
Protocol 2
StrictModes yes
UseDNS no
UsePAM no
X11Forwarding no

# debian
Subsystem   sftp /usr/lib/openssh/sftp-server

# slackware
Subsystem   sftp /usr/libexec/sftp-server

# sabotage linux
Subsystem   sftp /lib/ssh/sftp-server

not setting maximum auth attemps to 1 because clients usually try a bunch of keys by default.

some alternatives

#AllowGroups root
#AllowUsers root ADMIN

moar on crypto

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
#KexAlgorithms ...
#MAC ...

more options

#AddressFamily inet
#ListenAddress x.x.x.x
#AllowUsers root@CLIENT-IP gollum@CLIENT2 *@CIDR

check

sshd -t && echo OK || echo NOK

Debian/Ubuntu and Sabotage defaults have

AcceptEnv LANG LC_*

deprecated on netbsd, debian, ubuntu/bionic and slackware-current (v8.3p1)

#UsePrivilegeSeparation sandbox

deprecated on rhel7 and slackware142

#RSAAuthentication

Versions & Algos

ssh -V
    ssh -Q HostbasedAcceptedAlgorithms
ssh -Q KexAlgorithms
    ssh -Q cipher
    ssh -Q mac

Ubuntu/focal has

OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f  31 Mar 2020

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

FreeBSD 13.0 has

OpenSSH_7.9p1, OpenSSL 1.1.1h-freebsd  22 Sep 2020

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

Benchmarks

    for i in `ssh -Q cipher`; do
            dd if=/dev/zero bs=1M count=100 2> /dev/null \
    | ssh -c $i localhost -p 2222 "(time -p cat) > /dev/null" 2>&1 | grep real \
    | awk '{print "'$i': "100 / $2" MB/s" }'
    done; unset i

e.g. on xc we obtain those results

aes128-ctr: 128.205 MB/s
aes192-ctr: 119.048 MB/s
aes256-ctr: 119.048 MB/s
aes128-gcm@openssh.com: 123.457 MB/s
aes256-gcm@openssh.com: 114.943 MB/s
chacha20-poly1305@openssh.com: 74.6269 MB/s

Operations

Slackware

tail -F /var/log/messages
ls -lhF /etc/rc.d/rc.sshd # executable
/etc/rc.d/rc.sshd restart

NetBSD

tail -F /var/log/authlog
vi /etc/rc.conf

sshd=yes

service sshd restart
netstat -an -f inet,inet6

Debian / Ubuntu Server

tail -n0 -F /var/log/*
systemctl status ssh
#systemctl enable ssh
systemctl restart ssh
netstat -lntupe

RHEL7

systemctl restart sshd

Acceptance

nmap --script ssh2-enum-algos -sV -p 22 TARGET-SERVER

Fail-Over

create a failover config with other PORT and PID

cp -pi sshd_config sshd_config_failover
vi sshd_config_failover

Port ALT_PORT
PidFile /var/run/sshd_failover.pid

start the daemon

ls -lF /var/run/sshd*
/usr/sbin/sshd -f /etc/ssh/sshd_config_failover
ps auxfw | grep sshd
netstat -antupe --inet --inet6 | grep ALT_PORT

and enable it at startup (rc.local still works on CentOS7)

cd /etc/
cp -pi rc.local rc.local.dist
vi rc.local

echo -n starting a failover ssh daemon...
/usr/sbin/sshd -f /etc/ssh/sshd_config_failover && echo done

# no need to make it executable

Miscellaneous

For an SCP only or chroot setup, see scponly.

Open ALT_PORT to listen on the network interface (CentOS7+ example),

firewall-cmd --zone=public --add-port=ALT_PORT/tcp --permanent

Resources

Using Ed25519 for OpenSSH keys (instead of DSA/RSA/ECDSA) https://linux-audit.com/using-ed25519-openssh-keys-instead-of-dsa-rsa-ecdsa/

sshd_config - SSH Server Configuration https://www.ssh.com/ssh/sshd_config/

Limit SSH access to specific clients by IP address https://unix.stackexchange.com/questions/406245/limit-ssh-access-to-specific-clients-by-ip-address

Specifying an IdentityFile with SSH https://unix.stackexchange.com/questions/494483/specifying-an-identityfile-with-ssh

The Secure Shell (SSH) Frequently Asked Questions https://web.archive.org/web/20170213004928/http://www.employees.org/~satch/ssh/faq/TheWholeSSHFAQ.html


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun