diff --git a/content/rambles/ssh-configuration.md b/content/rambles/ssh-configuration.md index 36d1430..e3d7498 100644 --- a/content/rambles/ssh-configuration.md +++ b/content/rambles/ssh-configuration.md @@ -3,7 +3,7 @@ title: "SSH Configuration" date: "2022-09-27T11:40:31+02:00" author: "$HUMANOID" tags: ["ssh", "technology"] -description: "An article on configuring SSH from the ground up to something that can grow out into my monster of a configuration" +description: "An article on configuring SSH from the ground up to something that can grow out into something like my monster of a config file" toc: true --- @@ -25,22 +25,22 @@ I typically generate mine using: ssh-keygen -t ed25519 -f ~/.ssh/ ``` Without any parameters, it will generate an rsa3072 key. -This form of cryptography isn't the recommended as it's become a bit flimsy with computers becoming stronger. -Instead I recommend at least adding the `-t ed25519` flag to generate a ed25519 key instead. +This form of cryptography isn't recommended as it's become a bit flimsy with computers becoming stronger. +Instead I recommend at least adding the `-t ed25519` flag to generate a ed25519 key. When prompted for a passphrase, **_always_** give it one. -The only reason where _not_ using a passphrase is acceptable is when you are planning on using the key for a [forced command](). +The only situation where _not_ using a passphrase is acceptable is when you are planning on using the key for a [forced command](#forced-commands). # Server Configuration -This is all done under the assumption that the you use OpenSSH implementation on your server. +This is all done under the assumption that the you use the OpenSSH implementation on your server. If you use something like Dropbear, I can't help you as haven't properly dug through it's configuration file (yet). The thing I see way to often on the internet is * People not disabling password authentication. -* Changing the default port or only allowing. -* Don't disable root login and never use it. +* People not changing the default port . +* People not disabling root login and never using it. So lets go through these steps one by one. @@ -109,7 +109,7 @@ A solution next to this is to use `fail2ban` along side changing the port. > "Won't this mean I have to add the port to my login command every time I go to this server?" -No, more in this in [the client configuration] section +No, more in this in [the client configuration](#client-configuration) section In `/etc/ssh/sshd_config` look for ```sshd_config @@ -123,7 +123,7 @@ In `/etc/ssh/sshd_config` look for and change the `Port` to your liking, I tend to change this to something like 6969 or some other meme number. Another thing I tend to do is not open a port in my firewall, thus preventing any normal outside connections all together. -Instead opting to only connecting over Yggdrasil and/or Tor. +Instead opting to only connect over Yggdrasil and/or Tor. # Client configuration @@ -136,20 +136,22 @@ The very first thing I do after setting up a server, is add an entry to my `~/.s A basic configuration section looks like the following: ```ssh_config Host # this is something you can easily identify - Host # this does need to be an IP address or DNS record pointing to an IP address + Host # this does need to be an IP address or DNS record pointing to an IP address IdentityFile ~/.ssh/ User Port ``` This allows you to log into host `` with on port `` with key `~/.ssh/` as user `` without by typing: ```sh -ssh @ -p -i ~/.ssh/ +ssh @ -p -i ~/.ssh/ ``` Instead the following command will work: ```sh ssh ``` +More information on the SSH config file can be found in the `ssh_config` manpage. + Some other frequently used settings for me are: * `AddKeysToAgent` * `IdentitiesOnly` @@ -165,7 +167,7 @@ This is useful if you frequently log in and out of a certain host and don't want Ignore whatever keys your agent has and only use the contents of `IdentityFile`. -Useful for when you want to be able to log into the same host using multiple keys. +Useful for when you want to be able to log into the same host using multiple keys while using an SSH agent session. ### `ProxyCommand` @@ -178,7 +180,7 @@ I use this for my Tor hosts: ```ssh_config Host tor- Hostname .onion - # this is dependent on the netcat implementation of the OpenBSD project + # this is dependent on the netcat implementation of the OpenBSD project, often packaged as "netcat-openbsd" ProxyCommand nc -X 5 -x localhost:9050 %h %p # this assumes you are running a tor proxy on your local system and attempts to make a connection through that Identityfile ~/.ssh/ User @@ -227,3 +229,38 @@ eval $(keychain --agents 'gpg,ssh' --eval) ... ``` As you can see, it can also keep track of your GPG agent. + +# Forced Commands + +Another amazing feature of SSH is forced commands. +The name is relatively self explanatory. +You give a public key the privilege to execute a single command and nothing else. +This is really useful if there is something that you frequently do on a server which is simple enough that it can be automated but still requires interaction from device. + +I make use of a forced command to open NCMPCPP on my MPD server. +Logging in every time and typing `ncmpcpp` every time I wanted to add or remove some songs from the current playlist got annoying really fast. + +On my client machines I have an entry in my `~/.ssh/config` with roughly the following: +```ssh_config +Host -radio + Hostname + User + Port + Identityfile ~/.ssh/-radio + IdentitiesOnly yes # here's where forcing it to ignore the ssh agent comes in useful +``` +On my MPD server, I have the following in `~/.ssh/authorized_keys`: +```authorized_keys +command="ncmpcpp" ssh-ed25519 -radio.pub> +``` + +When I `ssh` to `-radio`, all I get is an NCMPCPP session. + +On one of my Raspberry Pis, I make use of a forced command to toggle my desk lamp using a little wrapper I wrote around the Pi's GPIO interface. +It has the following line in `~/.ssh/authorized_keys`: +```authorized_keys +no-pty,command="/path/to/script/lamp toggle" ssh-ed25519 +``` +The `no-pty` option prevents any sessions opened with this key from starting an interactive shell session. + +Documentation of the `authorized_keys` file can be found in the `sshd` manpage under the `AUTHORIZED_KEYS FILE FORMAT` section.