Skip to content

SSH

What Where
Docs https://man.openbsd.org/ssh.1
OpenSSH https://www.openssh.com
Windows https://learn.microsoft.com/de-de/windows-server/administration/openssh/openssh_overview

Some SSH Tools:

Install and Configure

Windows 10

Install SSH

View Options: Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

Install SSH Client and or Server

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Configure SSH

Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'

Firewall settings

There should be a firewall rule named "OpenSSH-Server-In-TCP", which should be enabled

Get-NetFirewallRule -Name *ssh*

If the firewall does not exist, create one

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH-Server-In-TCP' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

Login

Login to azure server "azureserver" with user "user" and private ssh keyfile "private.key". The passphrase will be queried after executing the command.

ssh -i private.key user@server

When you SSH into another machine using public key authentication, the key pair from either ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, or ~/.ssh/id_rsa is used by default. The -i option can be used to specify a different key pair file.

Use the -L flag to forward a connection to a remote server

ssh server -L3000:localhost:3000

Configuration

Edit ~/.ssh/config for multiple SSH Hops

Host bastion
Hostname bastion.domain.com
User bastion-user

Host server
Hostname server.local.lan
User server-user
ProxyCommand ssh bastion -W %h:%p

Edit ~/.ssh/authorized_keys to restrict SSH User Access

from="10.20.30.0/24,44.55.66.77",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,command="/usr/local/bin/whatever" ssh-rsa [...]

Create Secure SSH Key

ssh-keygen -o -a 100 -t ed25519

Add Key to remote server

ssh-copy-id -i ~/.ssh/id_ed25519.pub username@remote

Security

Server Hardening

Hardening for Ubuntu 22.04 LTS Server. All commands need to be executed as root.

Re-generate the RSA and ED25519 keys

rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""

Remove small Diffie-Hellman moduli

awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli

Enable the RSA and ED25519 HostKey directives in the /etc/ssh/sshd_config file:

sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config

Restrict supported key exchange, cipher, and MAC algorithms

echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms [email protected],curve25519-sha256,[email protected],gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\nMACs [email protected],[email protected],[email protected]\nHostKeyAlgorithms ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-512,[email protected],rsa-sha2-256,[email protected]" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf

Restart OpenSSH server

service ssh restart

Client Config

When SSH tries to authenticate via public key, it sends the server all your public keys, one by one, until the server accepts one. One can take advantage of this to enumerate all the client's installed public keys.

If this behavior is problematic for you, you can tell SSH not to present your public keys to the server by default.

Add these lines at the end of your ~/.ssh/config (after other "Host" directives)

Host *
    PubkeyAuthentication no
    IdentitiesOnly yes

Then specify what keys should be used for each host

Host github.com
    PubkeyAuthentication yes
    IdentityFile ~/.ssh/github_id_rsa

Some additional config settings from mozilla:

# Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to.
HashKnownHosts yes
# Host keys the client accepts - order here is honored by OpenSSH
HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,ssh-rsa,[email protected],[email protected],[email protected],ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr

The algorithms supported by a particular OpenSSH version can be listed with the following commands:

ssh -Q cipher
ssh -Q cipher-auth
ssh -Q mac
ssh -Q kex
ssh -Q key

Server Config

Some additional config settings from mozilla:

# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr

MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey

# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE

# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO

# Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user:
#
# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
# Additionally, only tools such as systemd and auditd record the process session id.
# On other OSes, the user session id is not necessarily recorded at all kernel-side.
# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
PermitRootLogin No

SSH Escape Sequences

To see all escape sequences press ~?.

 ~.   - terminate connection (and any multiplexed sessions)
 ~B   - send a BREAK to the remote system
 ~C   - open a command line
 ~R   - request rekey
 ~V/v - decrease/increase verbosity (LogLevel)
 ~^Z  - suspend ssh
 ~#   - list forwarded connections
 ~&   - background ssh (when waiting for connections to terminate)
 ~?   - this message
 ~~   - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

Creating an SSH key

  • Generate a key: ssh-keygen -t ed25519 -a 100 -q -N "" -f ~/.ssh/id_ed25519
  • Generate a key in the current directory: ssh-keygen -t ed25519 -a 100 -q -N "" -f "$PWD"/renameme
  • Generate a key with a given name: ssh-keygen -t ed25519 -a 100 -q -N "" -f "$PWD"/deploy_key_1 -C deploy_key_1

Creating an SSH key for Github

# Create
ssh-keygen -t rsa -b 4096 -N "" -C "" -f keyname
mv keyname* ~/.ssh
chmod 700 ~/.ssh && chmod 600 ~/.ssh/*
Host github
HostName github.com
User git
IdentityFile ~/.ssh/keyname

# Copy public key to server.
ssh-copy-id -i ~/.ssh/keyname user@remote_machine

# Checking the ssh procesd
ssh -T [email protected]
eval $(ssh-agent -s)
ssh-add ~/.ssh/keyname
ssh -T [email protected]

Get the public key of a github user:

curl -s https://github.com/fullbyte.keys > fullbyte-github.key
ssh-keygen -l -f fullbyte-github.key
256 SHA256:GsiF6Lligv7mFffk8WYLjhIpa4kgjxnfjHD4HXfgmi0 no comment (ED25519)

Helpful commands

Add -v, -vv or -vvv for more output details.

  • Change Password: ssh-keygen -p -f C:\Users\0xfab1\.ssh\id_ed25519
  • Forward Multiple Ports Over SSH: ssh [email protected] -L 3000:localhost:3000 -L 9009:localhost:9009
  • Test SSH (e.g. to gitlab): ssh -vT [email protected]
  • Close stuck SSH session: Press: Enter then ~ then .
  • Get SSH key fingerprint: ssh-keygen -l -E md5 -f ~/.ssh/my-ssh-key
  • Get Fingerprint of server: ssh-keyscan -H sshtest.0xfab1.net
  • Generate SSHFP DNS entries: ssh-keygen -g -r sshtest.0xfab1.net
  • Get SSHFP entries: ssh-keyscan -D sshtest.0xfab1.net
  • Get specific SSHFP entries: ssh-keyscan -t ecdsa,ed25519 -f sshtest.0xfab1.net
  • Read SSHFP DNS entries: dig @localhost sshtest.0xfab1.net sshfp +noall +answer +dnssec
  • Login and check SSHFP (requires DNSSEC): ssh -i sshtest_key.pem -o VerifyHostKeyDNS=yes [email protected]

Restart SSHD

Different options to restart the SSH daemon for various OS:

OS native/old using service using systemd
CentOS service sshd restart sudo systemctl restart sshd
RHEL service sshd restart sudo systemctl restart sshd
Fedora service sshd restart sudo systemctl restart sshd
Redhat /etc/init.d/sshd restart service sshd restart sudo systemctl restart sshd
Alma service sshd restart sudo systemctl restart sshd
Rocky service sshd restart sudo systemctl restart sshd
Debian /etc/init.d/ssh restart sudo service ssh restart sudo systemctl restart ssh
Ubuntu /etc/init.d/ssh restart sudo service ssh restart sudo systemctl restart ssh
Mint /etc/init.d/ssh restart sudo service ssh restart
FreeBSD doas /etc/rc.d/sshd restart
UNIX kill -HUP $(cat /var/run/sshd.pid)
OpenSUSE sudo systemctl restart sshd
SUSE sudo systemctl restart sshd
Arch Linux sudo systemctl restart sshd.service