Small additions to ssh article

- Section about forced commands
- Loads of small edits
This commit is contained in:
Nox Sluijtman 2022-09-29 19:53:35 +02:00
parent ecd0f85ef3
commit 33f424cd71

View file

@ -3,7 +3,7 @@ title: "SSH Configuration"
date: "2022-09-27T11:40:31+02:00"
author: "$HUMANOID"
tags: ["ssh", "technology"]
description: "An article on configuring SSH from the ground up to something that can grow out into my monster of a configuration"
description: "An article on configuring SSH from the ground up to something that can grow out into something like my monster of a config file"
toc: true
---
@ -25,22 +25,22 @@ I typically generate mine using:
ssh-keygen -t ed25519 -f ~/.ssh/<new-key>
```
Without any parameters, it will generate an rsa3072 key.
This form of cryptography isn't the recommended as it's become a bit flimsy with computers becoming stronger.
Instead I recommend at least adding the `-t ed25519` flag to generate a ed25519 key instead.
This form of cryptography isn't recommended as it's become a bit flimsy with computers becoming stronger.
Instead I recommend at least adding the `-t ed25519` flag to generate a ed25519 key.
When prompted for a passphrase, **_always_** give it one.
The only reason where _not_ using a passphrase is acceptable is when you are planning on using the key for a [forced command]().
The only situation where _not_ using a passphrase is acceptable is when you are planning on using the key for a [forced command](#forced-commands).
# Server Configuration
This is all done under the assumption that the you use OpenSSH implementation on your server.
This is all done under the assumption that the you use the OpenSSH implementation on your server.
If you use something like Dropbear, I can't help you as haven't properly dug through it's configuration file (yet).
The thing I see way to often on the internet is
* People not disabling password authentication.
* Changing the default port or only allowing.
* Don't disable root login and never use it.
* People not changing the default port <!--or only allowing a range of IPs to log in-->.
* People not disabling root login and never using it.
So lets go through these steps one by one.
@ -109,7 +109,7 @@ A solution next to this is to use `fail2ban` along side changing the port.
> "Won't this mean I have to add the port to my login command every time I go to this server?"
No, more in this in [the client configuration] section
No, more in this in [the client configuration](#client-configuration) section
In `/etc/ssh/sshd_config` look for
```sshd_config
@ -123,7 +123,7 @@ In `/etc/ssh/sshd_config` look for
and change the `Port` to your liking, I tend to change this to something like 6969 or some other meme number.
Another thing I tend to do is not open a port in my firewall, thus preventing any normal outside connections all together.
Instead opting to only connecting over Yggdrasil and/or Tor.
Instead opting to only connect over Yggdrasil and/or Tor.
# Client configuration
@ -136,20 +136,22 @@ The very first thing I do after setting up a server, is add an entry to my `~/.s
A basic configuration section looks like the following:
```ssh_config
Host <host> # this is something you can easily identify
Host <host-name> # this does need to be an IP address or DNS record pointing to an IP address
Host <hostname> # this does need to be an IP address or DNS record pointing to an IP address
IdentityFile ~/.ssh/<key-file>
User <user-name>
Port <meme-number>
```
This allows you to log into host `<host>` with on port `<meme-number>` with key `~/.ssh/<key-file>` as user `<user-name>` without by typing:
```sh
ssh <user-name>@<host-name> -p <meme-number> -i ~/.ssh/<key-file>
ssh <user-name>@<hostname> -p <meme-number> -i ~/.ssh/<key-file>
```
Instead the following command will work:
```sh
ssh <host>
```
More information on the SSH config file can be found in the `ssh_config` manpage.
Some other frequently used settings for me are:
* `AddKeysToAgent`
* `IdentitiesOnly`
@ -165,7 +167,7 @@ This is useful if you frequently log in and out of a certain host and don't want
Ignore whatever keys your agent has and only use the contents of `IdentityFile`.
Useful for when you want to be able to log into the same host using multiple keys.
Useful for when you want to be able to log into the same host using multiple keys while using an SSH agent session.
### `ProxyCommand`
@ -178,7 +180,7 @@ I use this for my Tor hosts:
```ssh_config
Host tor-<host>
Hostname <lengthy-56-character-string>.onion
# this is dependent on the netcat implementation of the OpenBSD project
# this is dependent on the netcat implementation of the OpenBSD project, often packaged as "netcat-openbsd"
ProxyCommand nc -X 5 -x localhost:9050 %h %p # this assumes you are running a tor proxy on your local system and attempts to make a connection through that
Identityfile ~/.ssh/<key-file>
User <user>
@ -227,3 +229,38 @@ eval $(keychain --agents 'gpg,ssh' --eval)
...
```
As you can see, it can also keep track of your GPG agent.
# Forced Commands
Another amazing feature of SSH is forced commands.
The name is relatively self explanatory.
You give a public key the privilege to execute a single command and nothing else.
This is really useful if there is something that you frequently do on a server which is simple enough that it can be automated but still requires interaction from device.
I make use of a forced command to open NCMPCPP on my MPD server.
Logging in every time and typing `ncmpcpp` every time I wanted to add or remove some songs from the current playlist got annoying really fast.
On my client machines I have an entry in my `~/.ssh/config` with roughly the following:
```ssh_config
Host <host>-radio
Hostname <hostname>
User <mpd-user>
Port <meme-number>
Identityfile ~/.ssh/<host>-radio
IdentitiesOnly yes # here's where forcing it to ignore the ssh agent comes in useful
```
On my MPD server, I have the following in `~/.ssh/authorized_keys`:
```authorized_keys
command="ncmpcpp" ssh-ed25519 <contents of <host>-radio.pub>
```
When I `ssh` to `<host>-radio`, all I get is an NCMPCPP session.
On one of my Raspberry Pis, I make use of a forced command to toggle my desk lamp using a little wrapper I wrote around the Pi's GPIO interface.
It has the following line in `~/.ssh/authorized_keys`:
```authorized_keys
no-pty,command="/path/to/script/lamp toggle" ssh-ed25519 <contents of lamp-key.pub>
```
The `no-pty` option prevents any sessions opened with this key from starting an interactive shell session.
Documentation of the `authorized_keys` file can be found in the `sshd` manpage under the `AUTHORIZED_KEYS FILE FORMAT` section.