voidcruiser-test.nl/content/rambles/ssh-configuration.md

---
title: "SSH Configuration"
date: "2022-09-27T11:40:31+02:00"
author: "$HUMANOID"
tags: ["ssh", "technology"]
description: "An article on configuring SSH from the ground up to something that can grow out into my monster of a configuration"
draft: true
---

# Introduction

If you're anything like me, you'll have at least a hand full of servers you'll log into (at least) every now and then using SSH.
These servers don't all have the same key.
And on top of that, I frequently have multiple keys per host.
Managing this by hand is a pain in the arse.
Thankfully there are a few tools that make it a breeze.
I will be going through what I have done to both my local configuration and what I tend to do with my server configuration.

# Generating keys

In order to do anything with SSH in a secure way, you'll need to make use of public and private keys.
These keypairs are generated using `ssh-keygen`.
I typically generate mine using:
```sh
ssh-keygen -t ed25519 -f ~/.ssh/<new-key>
```
Without any parameters, it will generate an rsa3072 key.
This form of cryptography isn't the recommended as it's become a bit flimsy with computers becoming stronger.
Instead I recommend at least adding the `-t ed25519` flag to generate a ed25519 key instead.

When prompted for a passphrase, **_always_** give it one.
The only reason where _not_ using a passphrase is acceptable is when you are planning on using the key for a [forced command]().

# Server Configuration

This is all done under the assumption that the you use OpenSSH implementation on your server.
If you use something like Dropbear, I can't help you as haven't properly dug through it's configuration file (yet).

The thing I see way to often on the internet is

* People not disabling password authentication.
* Changing the default port or only allowing.
* Don't disable root login and never use it.

So lets go through these steps one by one.

## Password Authentication

Password authentication is _the_ most basic thing every server should have disabled.
Otherwise, it is possible to brute force a connection into your server.

> "But my server is not exposed to the internet."

I guess you _could_ get away with not disabling password authentication, but it's still not a good idea in case, say, your network gets compromised.
On top of that, it's less convenient to have to type in a password every time you want to log into your server (more in that in the SSH Agent section).

In order to disable password authentication, open your SSH daemon configuration file: `/etc/ssh/sshd_config` and look for the following lines...
```sshd_config
...
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
...
```
...uncomment `PasswordAuthentication` and replace "yes" for "no".
Make sure you still have a way into your server before restarting the daemon.

If you're not planning on logging in as the root user, uncomment and set the following setting to "no"
```sshd_config
...
#PermitRootLogin prohibit-password
...
```

Be aware of the fact that you can still utilise the root account using `sudo su -` (assuming you're using `sudo` on your server, else use whatever other privilege escalation tool you have at hand).

Restarting the daemon on modern systems is usually done using:
```sh
systemctl restart sshd
```
If you're not using systemd, I'm sure you know what command to use instead.

## Adding keys to `authorized_keys`

When going through `/etc/ssh/sshd_config` you've probably come across a few lines resembling:
```sshd_config
...
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
...
```

This means that the SSH daemon will check in `.ssh/authorized_keys` in the home directory of the user as whom you're trying to log in for public keys.
So the next step is to append your public key to this file in the home directory of the user as whom you want to be able to log in.
This can be done in a few ways.
The proper way is by using:

```sh
ssh-copy-id -i ~/.ssh/<key-file> <user>@<host>
```
I'm usually too lazy to use the proper way and just open the file in `vi` paste it in there by hand during the same initial login where I'm disabling password authentication.
Either way works fine.

## Changing the port

The advantage to this is that your logs will be a lot cleaner if your host is exposed to the internet.
There are large amounts of bots hammering port `22` on every IP address they can find with common usernames and passwords like "root" and "admin".
A solution next to this is to use `fail2ban` along side changing the port.

> "Won't this mean I have to add the port to my login command every time I go to this server?"

No, more in this in [the client configuration] section

In `/etc/ssh/sshd_config` look for 
```sshd_config
...
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
...
```
and change the `Port` to your liking, I tend to change this to something like 6969 or some other meme number.

Another thing I tend to do is not open a port in my firewall, thus preventing any normal outside connections all together.
Instead opting to only connecting over Yggdrasil and/or Tor.

# Client configuration

If people tend not to think much about their server configuration, their client configuration is probably not even touched at all.

## The `~/.ssh/config` file

The very first thing I do after setting up a server, is add an entry to my `~/.ssh/config` in order to manage its key, the user, the port and possibly subdomain should the need arise.

A basic configuration section looks like the following:
```ssh_config
Host <host> # this is something you can easily identify
	Host <hostname> # this does need to be an IP address or DNS record pointing to an IP address
	IdentityFile ~/.ssh/<key-file>
	User <username>
	Port 6969
```
This allows you to log into host `<host>` with on port `6969` with key `~/.ssh/<key-file>` as user `<username>` without by typing:
```sh
ssh <username>@<hostname> -p 6969 -i ~/.ssh/<key-file>
```
Instead the following command will work:
```sh
ssh <host>
```

Some other frequently used settings for me are:
* `AddKeysToAgent`
* `IdentitiesOnly`
* `ProxyCommand`

### `AddKeysToAgent`

Automatically adds the key to your SSH agent if you have one running.

This is useful if you frequently log in and out of a certain host and don't want to take the time to add it's key to your agent manually.

### `IdentitiesOnly`

Ignore whatever keys your agent has and only use the contents of `IdentityFile`.

Useful for when you want to be able to log into the same host using multiple keys.

### `ProxyCommand`

Always connect to your host using a proxy.

Useful for when you can only access a host through a certain proxy.

I use this for my Tor hosts:

```ssh_config
Host tor-<host>
        Hostname <lengthy-56-character-string>.onion
        ProxyCommand nc -X 5 -x localhost:9050 %h %p # this assumes you are running a tor proxy on your local system and attempts to make a connection through that
        Identityfile ~/.ssh/<key-file>
        User <user>
```
Start of ssh config article 2022-09-27 14:31:43 +02:00			`---`
			`title: "SSH Configuration"`
			`date: "2022-09-27T11:40:31+02:00"`
			`author: "$HUMANOID"`
			`tags: ["ssh", "technology"]`
			`description: "An article on configuring SSH from the ground up to something that can grow out into my monster of a configuration"`
			`draft: true`
			`---`

			`# Introduction`

			`If you're anything like me, you'll have at least a hand full of servers you'll log into (at least) every now and then using SSH.`
			`These servers don't all have the same key.`
			`And on top of that, I frequently have multiple keys per host.`
			`Managing this by hand is a pain in the arse.`
			`Thankfully there are a few tools that make it a breeze.`
			`I will be going through what I have done to both my local configuration and what I tend to do with my server configuration.`

			`# Generating keys`

			`In order to do anything with SSH in a secure way, you'll need to make use of public and private keys.`
			These keypairs are generated using `ssh-keygen`.
			`I typically generate mine using:`
			```sh
			`ssh-keygen -t ed25519 -f ~/.ssh/<new-key>`
			```
			`Without any parameters, it will generate an rsa3072 key.`
			`This form of cryptography isn't the recommended as it's become a bit flimsy with computers becoming stronger.`
			Instead I recommend at least adding the `-t ed25519` flag to generate a ed25519 key instead.

			`When prompted for a passphrase, _always_ give it one.`
			`The only reason where _not_ using a passphrase is acceptable is when you are planning on using the key for a [forced command]().`

			`# Server Configuration`

			`This is all done under the assumption that the you use OpenSSH implementation on your server.`
			`If you use something like Dropbear, I can't help you as haven't properly dug through it's configuration file (yet).`

			`The thing I see way to often on the internet is`

			`* People not disabling password authentication.`
			`* Changing the default port or only allowing.`
			`* Don't disable root login and never use it.`

			`So lets go through these steps one by one.`

			`## Password Authentication`

			`Password authentication is _the_ most basic thing every server should have disabled.`
			`Otherwise, it is possible to brute force a connection into your server.`

			`> "But my server is not exposed to the internet."`

			`I guess you _could_ get away with not disabling password authentication, but it's still not a good idea in case, say, your network gets compromised.`
			`On top of that, it's less convenient to have to type in a password every time you want to log into your server (more in that in the SSH Agent section).`

			In order to disable password authentication, open your SSH daemon configuration file: `/etc/ssh/sshd_config` and look for the following lines...
			```sshd_config
			`...`
			`# To disable tunneled clear text passwords, change to no here!`
			`#PasswordAuthentication yes`
			`#PermitEmptyPasswords no`
			`...`
			```
			...uncomment `PasswordAuthentication` and replace "yes" for "no".
			`Make sure you still have a way into your server before restarting the daemon.`

			`If you're not planning on logging in as the root user, uncomment and set the following setting to "no"`
			```sshd_config
			`...`
			`#PermitRootLogin prohibit-password`
			`...`
			```

			Be aware of the fact that you can still utilise the root account using `sudo su -` (assuming you're using `sudo` on your server, else use whatever other privilege escalation tool you have at hand).

			`Restarting the daemon on modern systems is usually done using:`
			```sh
			`systemctl restart sshd`
			```
			`If you're not using systemd, I'm sure you know what command to use instead.`

			## Adding keys to `authorized_keys`

			When going through `/etc/ssh/sshd_config` you've probably come across a few lines resembling:
			```sshd_config
			`...`
			`# Expect .ssh/authorized_keys2 to be disregarded by default in future.`
			`#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2`
			`...`
			```

			This means that the SSH daemon will check in `.ssh/authorized_keys` in the home directory of the user as whom you're trying to log in for public keys.
			`So the next step is to append your public key to this file in the home directory of the user as whom you want to be able to log in.`
			`This can be done in a few ways.`
			`The proper way is by using:`

			```sh
			`ssh-copy-id -i ~/.ssh/<key-file> <user>@<host>`
			```
			I'm usually too lazy to use the proper way and just open the file in `vi` paste it in there by hand during the same initial login where I'm disabling password authentication.
			`Either way works fine.`

			`## Changing the port`

			`The advantage to this is that your logs will be a lot cleaner if your host is exposed to the internet.`
			There are large amounts of bots hammering port `22` on every IP address they can find with common usernames and passwords like "root" and "admin".
			A solution next to this is to use `fail2ban` along side changing the port.

			`> "Won't this mean I have to add the port to my login command every time I go to this server?"`

			`No, more in this in [the client configuration] section`

			In `/etc/ssh/sshd_config` look for
			```sshd_config
			`...`
			`#Port 22`
			`#AddressFamily any`
			`#ListenAddress 0.0.0.0`
			`#ListenAddress ::`
			`...`
			```
			and change the `Port` to your liking, I tend to change this to something like 6969 or some other meme number.

			`Another thing I tend to do is not open a port in my firewall, thus preventing any normal outside connections all together.`
			`Instead opting to only connecting over Yggdrasil and/or Tor.`

			`# Client configuration`

			`If people tend not to think much about their server configuration, their client configuration is probably not even touched at all.`

			## The `~/.ssh/config` file

			The very first thing I do after setting up a server, is add an entry to my `~/.ssh/config` in order to manage its key, the user, the port and possibly subdomain should the need arise.

			`A basic configuration section looks like the following:`
			```ssh_config
			`Host <host> # this is something you can easily identify`
			`Host <hostname> # this does need to be an IP address or DNS record pointing to an IP address`
			`IdentityFile ~/.ssh/<key-file>`
			`User <username>`
			`Port 6969`
			```
			This allows you to log into host `<host>` with on port `6969` with key `~/.ssh/<key-file>` as user `<username>` without by typing:
			```sh
			`ssh <username>@<hostname> -p 6969 -i ~/.ssh/<key-file>`
			```
			`Instead the following command will work:`
			```sh
			`ssh <host>`
			```

			`Some other frequently used settings for me are:`
			* `AddKeysToAgent`
			* `IdentitiesOnly`
			* `ProxyCommand`

			### `AddKeysToAgent`

			`Automatically adds the key to your SSH agent if you have one running.`

			`This is useful if you frequently log in and out of a certain host and don't want to take the time to add it's key to your agent manually.`

			### `IdentitiesOnly`

			Ignore whatever keys your agent has and only use the contents of `IdentityFile`.

			`Useful for when you want to be able to log into the same host using multiple keys.`

			### `ProxyCommand`

			`Always connect to your host using a proxy.`

			`Useful for when you can only access a host through a certain proxy.`

			`I use this for my Tor hosts:`

			```ssh_config
			`Host tor-<host>`
			`Hostname <lengthy-56-character-string>.onion`
			`ProxyCommand nc -X 5 -x localhost:9050 %h %p # this assumes you are running a tor proxy on your local system and attempts to make a connection through that`
			`Identityfile ~/.ssh/<key-file>`
			`User <user>`
			```