Here you will find an SSH configuring and hardening guide.
Installation
1
| apt install openssh-server openssh-client
|
Usage
Server:
1
2
| systemctl enable sshd.service
systemctl ( start | stop | restart ) sshd.service
|
Client:
1
| ssh [options] user@host [command]
|
Common options
| parameter | description |
|---|
| -p | port number, if you changed the standard port |
| -i | alternative identify file, like ~/.ssh/id_ed25519.pub |
| -j | ProxyJump-Host, like user@host, if you want to connect to an otherwise unreachable host |
| -Y | X11-Forwarding of graphical apps through ssh |
Generating ssh keys
1
| ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519_pq
|
This private/public key pair will be created in your home folder, ~/.ssh. You will also be asked if you want to set a password for your key pair. This is used for every “new” use of this key pair to decrypt it. This key is post-quantum save.
Copy id to ssh-client for authentication
The following command will copy all generated public keys to a host you want to authenticate without password.
It is also possible to define options like if you need to make use of ProxyJump-host or define a specific id.
1
| ssh-copy-id -i ~/.ssh/id_ed25519.pub -o "ProxyJump <host or ip>" user@host
|
Server configuration (Example)
Usually you’ll find the configuration file in /etc/ssh/sshd_config. Keep an eye on sshd not ssh.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
| # OpenSSH sshd_config
# Profile: ECC-only identities + Post-Quantum hybrid KEX
# Requires: OpenSSH >= 9.0 (tested with 10.0p1)
# Network
Port 22
AddressFamily inet
ListenAddress 192.168.0.4
# Host Keys (ECC only)
HostKey /etc/ssh/ssh_host_ed25519_key
HostKeyAlgorithms ssh-ed25519
# Key Exchange (Post-Quantum Hybrid ONLY)
KexAlgorithms sntrup761x25519-sha512@openssh.com
# Symmetric Crypto (AEAD only)
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
# MACs not used with AEAD ciphers
# Authentication
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM no
PubkeyAuthentication yes
# User keys: ECC only
PubkeyAcceptedKeyTypes ssh-ed25519
# Authorization scope
# AllowUsers <DEIN_USER>
# Session hardening
LoginGraceTime 30s
MaxAuthTries 2
MaxSessions 3
ClientAliveInterval 300
ClientAliveCountMax 1
# Channel restrictions
AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
PermitTunnel no
# Environment
PermitUserEnvironment no
AcceptEnv LANG LC_*
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
# Misc
TCPKeepAlive yes
PrintMotd no
Banner none
VersionAddendum none
# Subsystems
Subsystem sftp internal-sftp
|
| value | description |
|---|
| Port < xx > | Specifies another port to be used by SSH. Default: 22 |
| AddressFamily | Setting: any / inet / inet6, inet=IPv4, inet6=IPv6 |
| ListenAddress | Specifies the IP of the interface SSH should only listen on. |
| PubKeyAuthentication | yes/no, Turn on/off authentication with key pairs. |
| AuthorizedKeyFile | Location of authorized key collection file |
| PermitRootLogin | yes/no, prohibit-password means password authentication is disabled but authentication with key pair is till possible |
| X11Forwarding | yes/no, if you want to access graphical applications through ssh |
| AllowTcpForwarding | Allow “ProxyJump”-ing on this host |
Client configuration (Example)
Therefore you have to create a file called ~/.ssh/config in your home directory.
1
2
3
4
5
6
7
8
9
| Host ssh-proxy
User root
Hostname 172.16.0.2
Port 2222
Host dhcp-server
User root
Hostname 10.11.12.2
Port 2222
ProxyJump ssh-proxy
|
| value | description |
|---|
| Host < hostname > | This keyword defines defines the “short word” to connect to your clients. |
| User < username > | The user you want to connect with on the host. |
| Hostname < IP > | Specifies th IP address you want to connect to. |
| Port < Port > | Specifies the port you want to connect to in case you’ve changed it. |
| ProxyJump < IP or Host > | If you have to connect to a host which is not directly accessible, but with a “jump” from another host. |
You’re also able to modify the command, e.g. you want to connect on the wanted machine with another user.
Secure Copy (SCP)
Secure-Copy allows file duplication over SSH.
Usage
1
| scp -i ~/.ssh/id_ed25519.pub -J firewall -P 222 source_file user@server:/path/to/destination
|
As you see the same options as in ssh are available.
Secure File Transfer Protocol (SFTP)
Secure File Transfer Protocol comes with the openssh-server, and for other os similar, package. It is deactivated by default and had to be configured.
Configuration
Now we add a SFTP user which is only allowed to use SFTP and nothing else. Therefor create a new group called sftponly
1
2
| mkdir -pv /srv/sftp/users/guest
useradd -G sftponly -d /srv/sftp/users/guest -s /bin/false guest
|
| parameter | description |
|---|
| -G | Append a group to the standard groups. |
| -d | The home dir of the user. |
| -s | The given Shell, here it is nothing |
At first we have to create a user share with permissions as below.
1
2
3
| mkdir -pv /srv/sftp/share
chown root:root /srv/sftp/share
chmod 0755 /srv/sftp/share
|
Edit /etc/ssh/sshd_config scroll down to Subsystem sftp [...].
1
2
3
4
5
6
7
| Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
Match Group sftponly
ChrootDirectory /srv/sftp/path/to/share/%u
ForceCommand internal-sftp
AllowTcpForwarding no
PasswordAuthentication yes
|
Usage
