Setting up SSHD

Authorized Keys

workstation

cat ~/.ssh/id_ed25519.pub

target server

mkdir ~/.ssh/
chmod 700 ~/.ssh/
vi ~/.ssh/authorized_keys

(paste your pub key)

chmod 600 ~/.ssh/authorized_keys

Requirement

ubuntu/debian (you’re good already with slackware and bsds)

grep ^wheel /etc/group
groupadd wheel
usermod -aG wheel root
#usermod -aG wheel ADMIN-USER

Setup

ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub > /etc/ssh/ssh_host_ed25519_key.pub.sha256
cat /etc/ssh/ssh_host_ed25519_key.pub
cat /etc/ssh/ssh_host_ed25519_key.pub.sha256

mv -i /etc/ssh/sshd_config /etc/ssh/sshd_config.dist
grep -vE '^[[:space:]]*(#|$)' /etc/ssh/sshd_config.dist > /etc/ssh/sshd_config
vi /etc/ssh/sshd_config

AuthorizedKeysFile  .ssh/authorized_keys
Subsystem   sftp    /usr/libexec/sftp-server

AddressFamily inet
#ListenAddress x.x.x.x
Protocol 2
Port 2222
AllowGroups wheel
#AllowGroups root
#AllowUsers root@CLIENT-IP gollum@CLIENT2 *@CIDR
PermitRootLogin without-password
PasswordAuthentication no
PermitEmptyPasswords no
StrictModes yes
X11Forwarding no
ChallengeResponseAuthentication no
UsePAM no
UseDNS no
HostKey /etc/ssh/ssh_host_ed25519_key
PrintMotd no

check

sshd -t && echo OK || echo NOK

Slackware default is UsePAM no already

Debian/Ubuntu and Sabotage defaults also have

AcceptEnv LANG LC_*

deprecated on netbsd, debian, ubuntu/bionic and slackware-current (v8.3p1)

#UsePrivilegeSeparation sandbox

deprecated on rhel7 and slackware142

#RSAAuthentication

Operations

Slackware

tail -F /var/log/messages
ls -lhF /etc/rc.d/rc.sshd # executable
/etc/rc.d/rc.sshd restart

NetBSD

tail -F /var/log/authlog
vi /etc/rc.conf

sshd=yes

service sshd restart
netstat -an -f inet,inet6

Debian / Ubuntu Server

tail -n0 -F /var/log/*
systemctl status ssh
#systemctl enable ssh
systemctl restart ssh
netstat -lntupe

RHEL7

systemctl restart sshd

Fail-Over

Create a failover config with other PORT and PID,

cp -pi sshd_config sshd_config.failover
vi  sshd_config.failover

Port ALT_PORT
PidFile /var/run/sshd.failover.pid

Start the daemon,

ls -lhF /var/run/sshd*
/usr/sbin/sshd -f /etc/ssh/sshd_config.failover
ps aux | grep failover
netstat -antupe --inet --inet6 | grep ALT_PORT

and enable it at startup (rc.local still works on CentOS7),

cd /etc/
cp -pi rc.local rc.local.dist
vi rc.local

echo -n starting a failover ssh daemon...
/usr/sbin/sshd -f /etc/ssh/sshd_config.failover && echo done

#no need to make it executable

Miscellaneous

Open ALT_PORT to listen on the network interface (CentOS7+ example),

firewall-cmd --zone=public --add-port=ALT_PORT/tcp --permanent

Resources

Using Ed25519 for OpenSSH keys (instead of DSA/RSA/ECDSA) https://linux-audit.com/using-ed25519-openssh-keys-instead-of-dsa-rsa-ecdsa/

sshd_config - SSH Server Configuration https://www.ssh.com/ssh/sshd_config/

Limit SSH access to specific clients by IP address https://unix.stackexchange.com/questions/406245/limit-ssh-access-to-specific-clients-by-ip-address


HOME | GUIDES | BENCHMARKS | html