SSH basics

In

SSH

  • Secure remote connection to another device.
  • Remember to open port 22 on the firewall so it can work (table, TCP).

Enabling

  • On most modern Linux and Unix based operating systems SSH is already enabled by default

    • Is it installed? Look for openssh* (architecture dependant), and openssh-server.

      1
      sudo yum list openssh*

    • Install it.

      1
      2
      3
      4
      5
      sudo yum install openssh-server
      # start in system V
      sudo service sshd start
      # start in systemd
      sudo systemctl start sshd

    • Run it on systen boot.

      1
      sudo chkconfig sshd on

  • Connect (and you will see the certificate, you can save the fingerprint)

    1
    ssh username@123.123.123.123

Using certificates

Autheticating with a certificate instead of a password. Can not be keylogged as it is not typed.

Generate private and public key

Public key is shared, private key is “for us”.

  • Set up on client
    1. Generate certificate, RSA type (in your user profile in there ll be an .ssh hidden folder, with a file id_rsa, you may use a passphrase). 
      1
      ssh-keygen -t rsa
    2. Go to .ssh folder: check id_rsa private, id_rsa.pub.
    3. (Optional) send it to a server. 
      1
      ssh-copy-id -i /path/to/key.pub SERVERNAME

Set up on server

  • Set up on server (sane as ssh-copy-id)

    1. Check if we have the .ssh folder on userspace. 
      1
      2
      3
      ls -la
      # if not found
      mkdir .ssh
    2. Create file for authorized connections 
      1
      2
      3
      cd .ssh
      # if not found
      vi /authorized_keys
    3. Type one key per line on the /authorized_keys files.

  • Test it works in the server (using the private key, always do that if you can not access physically to the server to fix it if it goes wrong).

    1
    ssh -i ./id_rsa username@123.123.123.123

  • Disable access via password.

    1. Access the SSH configuration file 
      1
      sudo vi /etc/ssh/sshd_config
    2. Find #PubkeyAuthentication, remove the #
    3. Check AuthorizedKeysForFile value, so the file matches.
    4. Check line is PasswordAuthentication, so its value is no.
    5. ChallengeResponseAuthentication should be no
    6. Save and restart the service on the server (sudo systemctl restart shhd).

Connect

  • Even if we reference it, we do not send the private key to the server: we decrypt the answer from the server, which was encoded with the public key, and send the result back. Traffic only moves the public key. 
    1
    ssh -i ./id_rsa username@123.123.123.123

Hardening

Check at least is version 2

  1. Go to the server, and check the config file. 
    1
    sudo vi /etc/ssh/sshd_configfiles
  2. Look for “the default requires explicit activation of protocol 1” If you see Protocol 1, this is bad (You may also find Protocol 2,1 meaning it accepts both, been tried in that order).

Filer users allowed

  1. Go to the server, and check the config file. 
    1
    sudo vi /etc/ssh/sshd_configfiles
  2. Remove root user: look for PermitRootLogin and ensure it is either commented out or set as no.
  3. Review the allowed users list: look for the AllowedUsers and AuthorizedKeyCommands (a list example would be: AllowUsers user1 user2 user3).
  4. Change the port number: look for Port and change it (e.g. Port 9999, and review it is open in your firewall via sudo firewall-cmd --add-port 9999/tcp --permanent).
  5. Restarts the server (systemctl restart sshd).
  6. Connect from client specifying the port (ssh -i ./id_rsa username@123.123.123.123 -p 9999).