Securing SSH
-
On my Fedora laptop and desktop this is what I do.
# Generating a new ED25519 key with a password ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519# Generating a new ED25519 key without a password ssh-keygen -o -a 100 -t ed25519 -N '' -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519When I use a key that requires a password, I use ssh-agent so I don't have to enter my password.
# Run ssh-agent and then use ssh-add eval "$(ssh-agent -s)" ssh-add ~/.ssh/id_ed25519 -
@IRJ said in Securing SSH:
@hobbit666 said in Securing SSH:
I think the common things i've seen so far are -
PasswordLess access i.e. Public/Private Keys
Timeouts
Disallow root logon
Harden Firewall
White-list IP's that can access.That is a good quick list, but we can add use vpn and/bastion host for access to that list.
Yeah this wasn't for a cloud deployment so it was the perimeter device. I incorrectly called it a jump box for some reason. It's really a bastion host.
-
@black3dynamite said in Securing SSH:
On my Fedora laptop and desktop this is what I do.
# Generating a new ED25519 key with a password ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519May be a stupid question but, should we use passwords?
-
@pmoncho said in Securing SSH:
@black3dynamite said in Securing SSH:
On my Fedora laptop and desktop this is what I do.
# Generating a new ED25519 key with a password ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519May be a stupid question but, should we use passwords?
You can, but you'd have to enter that password every time to connect using your SSH key.
-
@pmoncho said in Securing SSH:
@black3dynamite said in Securing SSH:
On my Fedora laptop and desktop this is what I do.
# Generating a new ED25519 key with a password ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519May be a stupid question but, should we use passwords?
It's for protecting your private key.
-
@DustinB3403 said in Securing SSH:
@pmoncho said in Securing SSH:
@black3dynamite said in Securing SSH:
On my Fedora laptop and desktop this is what I do.
# Generating a new ED25519 key with a password ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519May be a stupid question but, should we use passwords?
You can, but you'd have to enter that password every time to connect using your SSH key.
Unless use ssh-agent.
-
@black3dynamite said in Securing SSH:
@DustinB3403 said in Securing SSH:
@pmoncho said in Securing SSH:
@black3dynamite said in Securing SSH:
On my Fedora laptop and desktop this is what I do.
# Generating a new ED25519 key with a password ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519May be a stupid question but, should we use passwords?
You can, but you'd have to enter that password every time to connect using your SSH key.
Unless use ssh-agent.
How is ssh-agent storing your keypair password? It would have to be plain-text, wouldn't it? Which kind of defeats the point of adding a password to the keypair if the password for the pair is in plain-text. . .
-
@DustinB3403 said in Securing SSH:
@black3dynamite said in Securing SSH:
@DustinB3403 said in Securing SSH:
@pmoncho said in Securing SSH:
@black3dynamite said in Securing SSH:
On my Fedora laptop and desktop this is what I do.
# Generating a new ED25519 key with a password ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519May be a stupid question but, should we use passwords?
You can, but you'd have to enter that password every time to connect using your SSH key.
Unless use ssh-agent.
How is ssh-agent storing your keypair password? It would have to be plain-text, wouldn't it? Which kind of defeats the point of adding a password to the keypair if the password for the pair is in plain-text. . .
It's not stored in plain-text.
-
@black3dynamite said in Securing SSH:
@DustinB3403 said in Securing SSH:
@black3dynamite said in Securing SSH:
@DustinB3403 said in Securing SSH:
@pmoncho said in Securing SSH:
@black3dynamite said in Securing SSH:
On my Fedora laptop and desktop this is what I do.
# Generating a new ED25519 key with a password ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519May be a stupid question but, should we use passwords?
You can, but you'd have to enter that password every time to connect using your SSH key.
Unless use ssh-agent.
How is ssh-agent storing your keypair password? It would have to be plain-text, wouldn't it? Which kind of defeats the point of adding a password to the keypair if the password for the pair is in plain-text. . .
It's not stored in plain-text.
Well damn. This is interesting to know. If that is the case, it just may be beneficial to use a passphrase if only done once per 8 hours. I can handle that.
-
Silly question, i think i know the answer but checking
If i'm using a windows machine logging in as a domain user - myname@domain.co.ukI want to use SSH key pairs to log into my Zabbix Server. This was setup (On linux CentOS8) with two users when installing "root" and "zabb02".
Do i need a user called myname (or myname@domain.co.uk) on the zabbix server?
Also guess i generate the key pair on my Windows machine and upload the pub side to the Server(s)
-
@hobbit666 said in Securing SSH:
Silly question, i think i know the answer but checking
If i'm using a windows machine logging in as a domain user - myname@domain.co.ukI want to use SSH key pairs to log into my Zabbix Server. This was setup (On linux CentOS8) with two users when installing "root" and "zabb02".
Do i need a user called myname (or myname@domain.co.uk) on the zabbix server?
Also guess i generate the key pair on my Windows machine and upload the pub side to the Server(s)
I'm taking a stab here because it's been two hours with no reply.
I'm going to say no, you don't I have several VMs that I SSH into all the time, and non of them have my domain account on them, yet the Windows machine I'm on is on an AD.
You could try to setup pass-through authentication, but the whole keypair thing goes away (I think)... though you could try to setup kerberos authentication on your Zabbix box so you can login using AD creds.
-
@hobbit666 said in Securing SSH:
Do i need a user called myname (or myname@domain.co.uk) on the zabbix server?
No, you use any name you want on Zabbix.
-
@scottalanmiller said in Securing SSH:
@hobbit666 said in Securing SSH:
Do i need a user called myname (or myname@domain.co.uk) on the zabbix server?
No, you use any name you want on Zabbix.
More specifically, on your desktop get used to typing
ssh user@ip.add.re.ssinstead of justssh ip.add.re.ssOr create a command alias: https://docs.microsoft.com/en-us/windows/console/console-aliases
-
Updated 2nd post
-
@hobbit666 said in Securing SSH:
Steps I used to connect to my Zabbix Server (CentOS
from Win10created a folder c:\users<username>.ssh
in powershell ran this commandssh-keygen -o -a 100 -t ed25519 -C "my@email.com Desktop"Typed on the password i wanted to use (you can run a different command to have a password less key - see below)
This generated two files in .ssh - id_ed25519 and id_ed25519.pubstill in powershell i ssh'd onto the zabbix server
ssh <user>@<ip>Once in ran the following commands
sudo mkdir ~/.ssh sudo nano ~/.ssh/authorized_keyscopy the contents of the .pub file on the windows machine
sudo chown YourUserName:YourUserName ~/.ssh -R sudo chmod 700 ~/.ssh sudo chmod 600 ~/.ssh/authorized_keysThen from powershell
ssh <user>@<ip>and it just asked me for the key password and i'm in
Updated - 28/02/2020
So all of the public keys go into that single authorized_keys file? or does each user on the remote system have their own authorized_keys file?
-
@Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go
but my guess is in the same authorized_keys file on a separate line -
@Dashrender said in Securing SSH:
So all of the public keys go into that single authorized_keys file?
It is in the user directory. All of that user's keys are there.
But again, these are public keys.
-
@hobbit666 said in Securing SSH:
@Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go
but my guess is in the same authorized_keys file on a separate lineThis is your friend.
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@ipif you only have a single public key you can simplify it to
ssh-copy-id user@ipI specify because my desktop has a few different generated keys.
-
@JaredBusch said in Securing SSH:
@Dashrender said in Securing SSH:
So all of the public keys go into that single authorized_keys file?
It is in the user directory. All of that user's keys are there.
But again, these are public keys.
Yeah, I wasn't worried about a security situation... but I'm guessing by making the keys part of the profile on the end controlled device, that is what sets what user is logged in via the key, since there is no username associated with the key itself.
Just talking this through to myself.Thanks.
-
@Dashrender said in Securing SSH:
@JaredBusch said in Securing SSH:
@Dashrender said in Securing SSH:
So all of the public keys go into that single authorized_keys file?
It is in the user directory. All of that user's keys are there.
But again, these are public keys.
Yeah, I wasn't worried about a security situation... but I'm guessing by making the keys part of the profile on the end controlled device, that is what sets what user is logged in via the key, since there is no username associated with the key itself.
Just talking this through to myself.Thanks.
The username is specified at login. this has nothing to do with the key.
ssh user@ipyou can easily use this key for root if you like to be unsecure.
ssh root@ip
