Securing SSH

JaredBusch

Open a terminal session and run ssh-keygen to properly generate a valid keypair.
I use the ed25519 algorithm because it creates a short public key and the comments are useful

ssh-keygen -o -a 100 -t ed25519 -C "[email protected] Desktop"

IRJ

@JaredBusch said in Securing SSH:

@IRJ said in Securing SSH:

You would store your key in an encrypted drive like druva or one drive

Umm WUT.

You don't store your key anywhere. Because that makes it useless.

Are you reusing the same key on different user devices?

Not your personal key of course. A break glass key for root access. You get a root key for all cloud servers that should be different from your user key. That was the key I was talking about storing.

black3dynamite

On my Fedora laptop and desktop this is what I do.

# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519

# Generating a new ED25519 key without a password
ssh-keygen -o -a 100 -t ed25519 -N '' -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519

When I use a key that requires a password, I use ssh-agent so I don't have to enter my password.

# Run ssh-agent and then use ssh-add
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

stacksofplates

@IRJ said in Securing SSH:

@hobbit666 said in Securing SSH:

I think the common things i've seen so far are -

PasswordLess access i.e. Public/Private Keys
Timeouts
Disallow root logon
Harden Firewall
White-list IP's that can access.

That is a good quick list, but we can add use vpn and/bastion host for access to that list.

Yeah this wasn't for a cloud deployment so it was the perimeter device. I incorrectly called it a jump box for some reason. It's really a bastion host.

pmoncho

@black3dynamite said in Securing SSH:

On my Fedora laptop and desktop this is what I do.

# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519

May be a stupid question but, should we use passwords?

DustinB3403

@pmoncho said in Securing SSH:

@black3dynamite said in Securing SSH:

On my Fedora laptop and desktop this is what I do.

# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519

May be a stupid question but, should we use passwords?

You can, but you'd have to enter that password every time to connect using your SSH key.

black3dynamite

@pmoncho said in Securing SSH:

@black3dynamite said in Securing SSH:

On my Fedora laptop and desktop this is what I do.

# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519

May be a stupid question but, should we use passwords?

It's for protecting your private key.

black3dynamite

@DustinB3403 said in Securing SSH:

@pmoncho said in Securing SSH:

@black3dynamite said in Securing SSH:

On my Fedora laptop and desktop this is what I do.

# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519

May be a stupid question but, should we use passwords?

You can, but you'd have to enter that password every time to connect using your SSH key.

Unless use ssh-agent.

DustinB3403

@black3dynamite said in Securing SSH:

@DustinB3403 said in Securing SSH:

@pmoncho said in Securing SSH:

@black3dynamite said in Securing SSH:

On my Fedora laptop and desktop this is what I do.

# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519

May be a stupid question but, should we use passwords?

You can, but you'd have to enter that password every time to connect using your SSH key.

Unless use ssh-agent.

How is ssh-agent storing your keypair password? It would have to be plain-text, wouldn't it? Which kind of defeats the point of adding a password to the keypair if the password for the pair is in plain-text. . .

black3dynamite

@DustinB3403 said in Securing SSH:

@black3dynamite said in Securing SSH:

@DustinB3403 said in Securing SSH:

@pmoncho said in Securing SSH:

@black3dynamite said in Securing SSH:

On my Fedora laptop and desktop this is what I do.

# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519

May be a stupid question but, should we use passwords?

You can, but you'd have to enter that password every time to connect using your SSH key.

Unless use ssh-agent.

How is ssh-agent storing your keypair password? It would have to be plain-text, wouldn't it? Which kind of defeats the point of adding a password to the keypair if the password for the pair is in plain-text. . .

It's not stored in plain-text.

https://www.emtec.com/ssh/agent.html

pmoncho

@black3dynamite said in Securing SSH:

@DustinB3403 said in Securing SSH:

@black3dynamite said in Securing SSH:

@DustinB3403 said in Securing SSH:

@pmoncho said in Securing SSH:

@black3dynamite said in Securing SSH:

On my Fedora laptop and desktop this is what I do.

# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519

May be a stupid question but, should we use passwords?

You can, but you'd have to enter that password every time to connect using your SSH key.

Unless use ssh-agent.

How is ssh-agent storing your keypair password? It would have to be plain-text, wouldn't it? Which kind of defeats the point of adding a password to the keypair if the password for the pair is in plain-text. . .

It's not stored in plain-text.

https://www.emtec.com/ssh/agent.html

Well damn. This is interesting to know. If that is the case, it just may be beneficial to use a passphrase if only done once per 8 hours. I can handle that.

hobbit666

Silly question, i think i know the answer but checking
If i'm using a windows machine logging in as a domain user - [email protected]

I want to use SSH key pairs to log into my Zabbix Server. This was setup (On linux CentOS8) with two users when installing "root" and "zabb02".

Do i need a user called myname (or [email protected]) on the zabbix server?

Also guess i generate the key pair on my Windows machine and upload the pub side to the Server(s)

Dashrender

@hobbit666 said in Securing SSH:

Silly question, i think i know the answer but checking
If i'm using a windows machine logging in as a domain user - [email protected]

I want to use SSH key pairs to log into my Zabbix Server. This was setup (On linux CentOS8) with two users when installing "root" and "zabb02".

Do i need a user called myname (or [email protected]) on the zabbix server?

Also guess i generate the key pair on my Windows machine and upload the pub side to the Server(s)

I'm taking a stab here because it's been two hours with no reply.

I'm going to say no, you don't I have several VMs that I SSH into all the time, and non of them have my domain account on them, yet the Windows machine I'm on is on an AD.

You could try to setup pass-through authentication, but the whole keypair thing goes away (I think)... though you could try to setup kerberos authentication on your Zabbix box so you can login using AD creds.

scottalanmiller

@hobbit666 said in Securing SSH:

Do i need a user called myname (or [email protected]) on the zabbix server?

No, you use any name you want on Zabbix.

JaredBusch

@scottalanmiller said in Securing SSH:

@hobbit666 said in Securing SSH:

Do i need a user called myname (or [email protected]) on the zabbix server?

No, you use any name you want on Zabbix.

More specifically, on your desktop get used to typing ssh [email protected] instead of just ssh ip.add.re.ss

Or create a command alias: https://docs.microsoft.com/en-us/windows/console/console-aliases

hobbit666

Updated 2nd post

Dashrender

@hobbit666 said in Securing SSH:

Steps I used to connect to my Zabbix Server (CentOS from Win10

created a folder c:\users<username>.ssh
in powershell ran this command

 ssh-keygen -o -a 100 -t ed25519 -C "[email protected] Desktop"

Typed on the password i wanted to use (you can run a different command to have a password less key - see below)
This generated two files in .ssh - id_ed25519 and id_ed25519.pub

still in powershell i ssh'd onto the zabbix server

ssh <user>@<ip>

Once in ran the following commands

sudo mkdir ~/.ssh
sudo nano ~/.ssh/authorized_keys

copy the contents of the .pub file on the windows machine

sudo chown YourUserName:YourUserName ~/.ssh -R
sudo chmod 700 ~/.ssh
sudo chmod 600 ~/.ssh/authorized_keys

Then from powershell ssh <user>@<ip> and it just asked me for the key password and i'm in

Updated - 28/02/2020

So all of the public keys go into that single authorized_keys file? or does each user on the remote system have their own authorized_keys file?

hobbit666

@Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go
but my guess is in the same authorized_keys file on a separate line

JaredBusch

@Dashrender said in Securing SSH:

So all of the public keys go into that single authorized_keys file?

It is in the user directory. All of that user's keys are there.

But again, these are public keys.

JaredBusch

@hobbit666 said in Securing SSH:

@Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go
but my guess is in the same authorized_keys file on a separate line

This is your friend.

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@ip

if you only have a single public key you can simplify it to

ssh-copy-id user@ip

I specify because my desktop has a few different generated keys.