Sys-Admin

Secure Shell (SSH)

Introduction

Secure Shell Protocol (SSH Protocol) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

OpenSSL is a cryptographic library that enables an open source implementation of Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides functions to generate private keys, manage certificates, and equip client applications with encryption and decryption.

Generate SSH key pair

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end.

In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography.

ECDSA is one of the more complex public key cryptography encryption algorithms.

Generate ECDSA key pair using OpenSSL

Generate private key.

 openssl ecparam -genkey -name prime256v1 -noout -out /path/to/ecdsa_private_key_name.pem

Generate public key.

 openssl ec -in /path/to/ecdsa_private_key_name.pem -pubout -out /path/to/ecdsa_public_key_name.pem

Verify generated keys.

 openssl ec -in /path/to/ecdsa_private_key.pem -check

Convert Public Key to OpenSSH format.
Servers that require public key to be in OpenSSH format for authentication.
```
 ssh-keygen -f /path/to/ecdsa_public_key_name.pem -i -m PKCS8 > /path/to/public_key_openssh.pub
```

Change permission to read for owner.

 chmod 400 /path/to/ecdsa_private_key_name.pem

Generate ECDSA key pair using ssh-keygen

Gnerate key pair.

ssh-keygen -t ed25519 -C "your key comment" -f /path/to/key/filename

-t - Specify algorithm to use when generating the key pair e.g -t rsa, -t ecd25519.
-C - Add comment to the key pair.
-f - Specify output folder and name.

Copy Public key to the server
Automatically
Use ssh-copy-id to copy the public key. This will ask for password being used currently.

ssh-copy-id -i /path/to/your/key.pub user@server_ip

Manually

Copy the generated public key on the host, i.e where it was generated.
```
cat /path/to/ecdsa_public_key_openssh.pub
```
Ssh to the server.
- Create ~/.ssh directory if it doesn’t exist on home directory.
```
mkdir ~/.ssh && chmod 600 -R ~/.ssh/
```
- Append copied public key from local host to the server on ~/.ssh/authorized_keys. ~/.ssh/authorized_keys file must be owned by the user.

SSH configurations and hardening

Config files:

etc/ssh/sshd_config - SSH server. How others connect to you.
etc/ssh/ssh_config - SSH client. How you connect to others.

ssh_config

Check ssh version.

sshd -V

Add remote host on ~/.ssh/config.

Host <host>
HostName <hostname/ip addr>
Port <ssh port>
User <server user>
IdentityFile <private key file>

sshd_config

Complete /etc/ssh/sshd_config file with ssh hardening.

Test config file.

sudo sshd -t

View effective config file.

sudo sshd -T

Restart SSH service.

sudo systemctl daemon-reload && \
sudo systemctl restart ssh

Critical: Always keep your current SSH session open when testing changes, so you can revert if locked out!

Key improvements

Strong cryptography: Modern cipher suites.
Reduced attack surface: Disabled unnecessary features i.e TCP forwarding, agent forwarding.
Strictier authentication: reduced login grace time and max auth tries.
Connection management: Better idle timeout settings.
Algorithm whitlisting: Using modern secure and MAC algorithms.
Disabled password authentication: Using key pair to authenticate.
Disabled root authentication: Use sudo to login as a root user.
Whitelisted users and groups to login: Only certain users and groups can login.

Recommendations

Change SSH port - to reduce automated attacks.
Install and configure fail2ban/iptables.