Securing SSH

JaredBusch

Here's some ideas for you. https://mangolassi.it/topic/10391/fairly-hardened-jump-box

And this one
https://www.mangolassi.it/topic/19858/ssh-hardening

pmoncho

@IRJ said in Securing SSH:

You would store your key in an encrypted drive like druva or one drive

Umm WUT.

You don't store your key anywhere. Because that makes it useless.

Are you reusing the same key on different user devices?

Little lost here.

If I use putty on windows to create my key pair and I put my public key on my linux machine (authorized_keys file).

So what do you do with the private key from the key pair?

JaredBusch

@pmoncho said in Securing SSH:

@JaredBusch said in Securing SSH:

@IRJ said in Securing SSH:

You would store your key in an encrypted drive like druva or one drive

Umm WUT.

You don't store your key anywhere. Because that makes it useless.

Are you reusing the same key on different user devices?

Little lost here.

If I use putty on windows to create my key pair and I put my public key on my linux machine (authorized_keys file).

So what do you do with the private key from the key pair?

Nothing. it is only ever on your one machine.

Also WTF with putty? SSH is native to even Windows now.

pmoncho

@JaredBusch said in Securing SSH:

@pmoncho said in Securing SSH:

@JaredBusch said in Securing SSH:

@IRJ said in Securing SSH:

You would store your key in an encrypted drive like druva or one drive

Umm WUT.

You don't store your key anywhere. Because that makes it useless.

Are you reusing the same key on different user devices?

Little lost here.

If I use putty on windows to create my key pair and I put my public key on my linux machine (authorized_keys file).

So what do you do with the private key from the key pair?

Nothing. it is only ever on your one machine.

Ok. Got it.

Now if I have my work machine and home laptop (used for remote work), should I create multiple keys, one for each machine or just copy and use the same private key?

Also WTF with putty? SSH is native to even Windows now.

It is what I initially used so it was the first thing that popped in my head.

JaredBusch

Open a terminal session and run ssh-keygen to properly generate a valid keypair.
I use the ed25519 algorithm because it creates a short public key and the comments are useful

ssh-keygen -o -a 100 -t ed25519 -C "[email protected] Desktop"

IRJ

@JaredBusch said in Securing SSH:

@IRJ said in Securing SSH:

You would store your key in an encrypted drive like druva or one drive

Umm WUT.

You don't store your key anywhere. Because that makes it useless.

Are you reusing the same key on different user devices?

Not your personal key of course. A break glass key for root access. You get a root key for all cloud servers that should be different from your user key. That was the key I was talking about storing.

black3dynamite

On my Fedora laptop and desktop this is what I do.

# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519

# Generating a new ED25519 key without a password
ssh-keygen -o -a 100 -t ed25519 -N '' -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519

When I use a key that requires a password, I use ssh-agent so I don't have to enter my password.

# Run ssh-agent and then use ssh-add
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

stacksofplates

@IRJ said in Securing SSH:

@hobbit666 said in Securing SSH:

I think the common things i've seen so far are -

PasswordLess access i.e. Public/Private Keys
Timeouts
Disallow root logon
Harden Firewall
White-list IP's that can access.

That is a good quick list, but we can add use vpn and/bastion host for access to that list.

Yeah this wasn't for a cloud deployment so it was the perimeter device. I incorrectly called it a jump box for some reason. It's really a bastion host.

pmoncho

@black3dynamite said in Securing SSH:

On my Fedora laptop and desktop this is what I do.

# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519

May be a stupid question but, should we use passwords?

DustinB3403

@pmoncho said in Securing SSH:

@black3dynamite said in Securing SSH:
On my Fedora laptop and desktop this is what I do.
# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519
May be a stupid question but, should we use passwords?

You can, but you'd have to enter that password every time to connect using your SSH key.

black3dynamite

@pmoncho said in Securing SSH:

@black3dynamite said in Securing SSH:
On my Fedora laptop and desktop this is what I do.
# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519
May be a stupid question but, should we use passwords?

It's for protecting your private key.

black3dynamite

@DustinB3403 said in Securing SSH:

@pmoncho said in Securing SSH:
@black3dynamite said in Securing SSH:
On my Fedora laptop and desktop this is what I do.
# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519
May be a stupid question but, should we use passwords?
You can, but you'd have to enter that password every time to connect using your SSH key.

Unless use ssh-agent.

DustinB3403

@black3dynamite said in Securing SSH:

@DustinB3403 said in Securing SSH:
@pmoncho said in Securing SSH:
@black3dynamite said in Securing SSH:
On my Fedora laptop and desktop this is what I do.
# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519
May be a stupid question but, should we use passwords?
You can, but you'd have to enter that password every time to connect using your SSH key.
Unless use ssh-agent.

How is ssh-agent storing your keypair password? It would have to be plain-text, wouldn't it? Which kind of defeats the point of adding a password to the keypair if the password for the pair is in plain-text. . .

black3dynamite

@DustinB3403 said in Securing SSH:

@black3dynamite said in Securing SSH:
@DustinB3403 said in Securing SSH:
@pmoncho said in Securing SSH:
@black3dynamite said in Securing SSH:
On my Fedora laptop and desktop this is what I do.
# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519
May be a stupid question but, should we use passwords?
You can, but you'd have to enter that password every time to connect using your SSH key.
Unless use ssh-agent.
How is ssh-agent storing your keypair password? It would have to be plain-text, wouldn't it? Which kind of defeats the point of adding a password to the keypair if the password for the pair is in plain-text. . .

It's not stored in plain-text.

https://www.emtec.com/ssh/agent.html

pmoncho

@black3dynamite said in Securing SSH:

@DustinB3403 said in Securing SSH:
@black3dynamite said in Securing SSH:
@DustinB3403 said in Securing SSH:
@pmoncho said in Securing SSH:
@black3dynamite said in Securing SSH:
On my Fedora laptop and desktop this is what I do.
# Generating a new ED25519 key with a password
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519
May be a stupid question but, should we use passwords?
You can, but you'd have to enter that password every time to connect using your SSH key.
Unless use ssh-agent.
How is ssh-agent storing your keypair password? It would have to be plain-text, wouldn't it? Which kind of defeats the point of adding a password to the keypair if the password for the pair is in plain-text. . .
It's not stored in plain-text.

https://www.emtec.com/ssh/agent.html

Well damn. This is interesting to know. If that is the case, it just may be beneficial to use a passphrase if only done once per 8 hours. I can handle that.

hobbit666

Silly question, i think i know the answer but checking
If i'm using a windows machine logging in as a domain user - [email protected]

I want to use SSH key pairs to log into my Zabbix Server. This was setup (On linux CentOS8) with two users when installing "root" and "zabb02".

Do i need a user called myname (or [email protected]) on the zabbix server?

Also guess i generate the key pair on my Windows machine and upload the pub side to the Server(s)

Dashrender

@hobbit666 said in Securing SSH:

Silly question, i think i know the answer but checking
If i'm using a windows machine logging in as a domain user - [email protected]

I want to use SSH key pairs to log into my Zabbix Server. This was setup (On linux CentOS8) with two users when installing "root" and "zabb02".

Do i need a user called myname (or [email protected]) on the zabbix server?

Also guess i generate the key pair on my Windows machine and upload the pub side to the Server(s)

I'm taking a stab here because it's been two hours with no reply.

I'm going to say no, you don't I have several VMs that I SSH into all the time, and non of them have my domain account on them, yet the Windows machine I'm on is on an AD.

You could try to setup pass-through authentication, but the whole keypair thing goes away (I think)... though you could try to setup kerberos authentication on your Zabbix box so you can login using AD creds.

scottalanmiller

@hobbit666 said in Securing SSH:

Do i need a user called myname (or [email protected]) on the zabbix server?

No, you use any name you want on Zabbix.

JaredBusch

@scottalanmiller said in Securing SSH:

@hobbit666 said in Securing SSH:

Do i need a user called myname (or [email protected]) on the zabbix server?

No, you use any name you want on Zabbix.

More specifically, on your desktop get used to typing ssh [email protected] instead of just ssh ip.add.re.ss

Or create a command alias: https://docs.microsoft.com/en-us/windows/console/console-aliases

hobbit666

Updated 2nd post