ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    Securing SSH

    IT Discussion
    ssh ssh keys security
    11
    60
    733
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • black3dynamite
      black3dynamite @DustinB3403 last edited by

      @DustinB3403 said in Securing SSH:

      @black3dynamite said in Securing SSH:

      @DustinB3403 said in Securing SSH:

      @pmoncho said in Securing SSH:

      @black3dynamite said in Securing SSH:

      On my Fedora laptop and desktop this is what I do.

      # Generating a new ED25519 key with a password
      ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519
      

      May be a stupid question but, should we use passwords?

      You can, but you'd have to enter that password every time to connect using your SSH key.

      Unless use ssh-agent.

      How is ssh-agent storing your keypair password? It would have to be plain-text, wouldn't it? Which kind of defeats the point of adding a password to the keypair if the password for the pair is in plain-text. . .

      It's not stored in plain-text.

      https://www.emtec.com/ssh/agent.html
      c13e81b6-b25e-4ecb-9fee-94fb1ed55391-image.png

      P 1 Reply Last reply Reply Quote 2
      • P
        pmoncho @black3dynamite last edited by

        @black3dynamite said in Securing SSH:

        @DustinB3403 said in Securing SSH:

        @black3dynamite said in Securing SSH:

        @DustinB3403 said in Securing SSH:

        @pmoncho said in Securing SSH:

        @black3dynamite said in Securing SSH:

        On my Fedora laptop and desktop this is what I do.

        # Generating a new ED25519 key with a password
        ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519
        

        May be a stupid question but, should we use passwords?

        You can, but you'd have to enter that password every time to connect using your SSH key.

        Unless use ssh-agent.

        How is ssh-agent storing your keypair password? It would have to be plain-text, wouldn't it? Which kind of defeats the point of adding a password to the keypair if the password for the pair is in plain-text. . .

        It's not stored in plain-text.

        https://www.emtec.com/ssh/agent.html
        c13e81b6-b25e-4ecb-9fee-94fb1ed55391-image.png

        Well damn. This is interesting to know. If that is the case, it just may be beneficial to use a passphrase if only done once per 8 hours. I can handle that.

        1 Reply Last reply Reply Quote 3
        • hobbit666
          hobbit666 last edited by

          Silly question, i think i know the answer but checking 🙂
          If i'm using a windows machine logging in as a domain user - [email protected]

          I want to use SSH key pairs to log into my Zabbix Server. This was setup (On linux CentOS8) with two users when installing "root" and "zabb02".

          Do i need a user called myname (or [email protected]) on the zabbix server?

          Also guess i generate the key pair on my Windows machine and upload the pub side to the Server(s)

          Dashrender scottalanmiller 2 Replies Last reply Reply Quote 0
          • Dashrender
            Dashrender @hobbit666 last edited by

            @hobbit666 said in Securing SSH:

            Silly question, i think i know the answer but checking 🙂
            If i'm using a windows machine logging in as a domain user - [email protected]

            I want to use SSH key pairs to log into my Zabbix Server. This was setup (On linux CentOS8) with two users when installing "root" and "zabb02".

            Do i need a user called myname (or [email protected]) on the zabbix server?

            Also guess i generate the key pair on my Windows machine and upload the pub side to the Server(s)

            I'm taking a stab here because it's been two hours with no reply.

            I'm going to say no, you don't I have several VMs that I SSH into all the time, and non of them have my domain account on them, yet the Windows machine I'm on is on an AD.

            You could try to setup pass-through authentication, but the whole keypair thing goes away (I think)... though you could try to setup kerberos authentication on your Zabbix box so you can login using AD creds.

            1 Reply Last reply Reply Quote 0
            • scottalanmiller
              scottalanmiller @hobbit666 last edited by

              @hobbit666 said in Securing SSH:

              Do i need a user called myname (or [email protected]) on the zabbix server?

              No, you use any name you want on Zabbix.

              JaredBusch 1 Reply Last reply Reply Quote 0
              • JaredBusch
                JaredBusch @scottalanmiller last edited by

                @scottalanmiller said in Securing SSH:

                @hobbit666 said in Securing SSH:

                Do i need a user called myname (or [email protected]) on the zabbix server?

                No, you use any name you want on Zabbix.

                More specifically, on your desktop get used to typing ssh [email protected] instead of just ssh ip.add.re.ss

                Or create a command alias: https://docs.microsoft.com/en-us/windows/console/console-aliases

                1 Reply Last reply Reply Quote 2
                • hobbit666
                  hobbit666 last edited by

                  Updated 2nd post

                  1 Reply Last reply Reply Quote 0
                  • Dashrender
                    Dashrender @hobbit666 last edited by

                    @hobbit666 said in Securing SSH:

                    Steps I used to connect to my Zabbix Server (CentOS 😎 from Win10

                    created a folder c:\users<username>.ssh
                    in powershell ran this command

                     ssh-keygen -o -a 100 -t ed25519 -C "[email protected] Desktop"
                    

                    Typed on the password i wanted to use (you can run a different command to have a password less key - see below)
                    This generated two files in .ssh - id_ed25519 and id_ed25519.pub

                    still in powershell i ssh'd onto the zabbix server

                    ssh <user>@<ip>
                    

                    Once in ran the following commands

                    sudo mkdir ~/.ssh
                    sudo nano ~/.ssh/authorized_keys
                    

                    copy the contents of the .pub file on the windows machine

                    sudo chown YourUserName:YourUserName ~/.ssh -R
                    sudo chmod 700 ~/.ssh
                    sudo chmod 600 ~/.ssh/authorized_keys
                    

                    Then from powershell ssh <user>@<ip> and it just asked me for the key password and i'm in 😄

                    Updated - 28/02/2020

                    So all of the public keys go into that single authorized_keys file? or does each user on the remote system have their own authorized_keys file?

                    hobbit666 JaredBusch 2 Replies Last reply Reply Quote 0
                    • hobbit666
                      hobbit666 @Dashrender last edited by hobbit666

                      @Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go 🙂
                      but my guess is in the same authorized_keys file on a separate line

                      JaredBusch 1 Reply Last reply Reply Quote 0
                      • JaredBusch
                        JaredBusch @Dashrender last edited by

                        @Dashrender said in Securing SSH:

                        So all of the public keys go into that single authorized_keys file?

                        It is in the user directory. All of that user's keys are there.

                        But again, these are public keys.

                        Dashrender 1 Reply Last reply Reply Quote 0
                        • JaredBusch
                          JaredBusch @hobbit666 last edited by JaredBusch

                          @hobbit666 said in Securing SSH:

                          @Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go 🙂
                          but my guess is in the same authorized_keys file on a separate line

                          This is your friend.

                          ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
                          

                          if you only have a single public key you can simplify it to

                          ssh-copy-id [email protected]
                          

                          I specify because my desktop has a few different generated keys.
                          3ff95aa0-de1f-4a83-b1c3-74c0919f78c8-image.png

                          hobbit666 wirestyle22 2 Replies Last reply Reply Quote 2
                          • Dashrender
                            Dashrender @JaredBusch last edited by

                            @JaredBusch said in Securing SSH:

                            @Dashrender said in Securing SSH:

                            So all of the public keys go into that single authorized_keys file?

                            It is in the user directory. All of that user's keys are there.

                            But again, these are public keys.

                            Yeah, I wasn't worried about a security situation... but I'm guessing by making the keys part of the profile on the end controlled device, that is what sets what user is logged in via the key, since there is no username associated with the key itself.
                            Just talking this through to myself.

                            Thanks.

                            JaredBusch 1 Reply Last reply Reply Quote 0
                            • JaredBusch
                              JaredBusch @Dashrender last edited by

                              @Dashrender said in Securing SSH:

                              @JaredBusch said in Securing SSH:

                              @Dashrender said in Securing SSH:

                              So all of the public keys go into that single authorized_keys file?

                              It is in the user directory. All of that user's keys are there.

                              But again, these are public keys.

                              Yeah, I wasn't worried about a security situation... but I'm guessing by making the keys part of the profile on the end controlled device, that is what sets what user is logged in via the key, since there is no username associated with the key itself.
                              Just talking this through to myself.

                              Thanks.

                              The username is specified at login. this has nothing to do with the key.

                              ssh [email protected]
                              

                              you can easily use this key for root if you like to be unsecure.

                              ssh [email protected]
                              
                              Dashrender 1 Reply Last reply Reply Quote 1
                              • hobbit666
                                hobbit666 @JaredBusch last edited by

                                @JaredBusch said in Securing SSH:

                                This is your friend.

                                ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
                                

                                command not found in powershell 🙂 bu that's a windows problem.

                                DustinB3403 1 Reply Last reply Reply Quote 0
                                • DustinB3403
                                  DustinB3403 @hobbit666 last edited by

                                  @hobbit666 said in Securing SSH:

                                  @JaredBusch said in Securing SSH:

                                  This is your friend.

                                  ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
                                  

                                  command not found in powershell 🙂 bu that's a windows problem.

                                  That's because windows doesn't have an ssh-copy-id function. You're expected to know to manually copy the file into .ssh

                                  JaredBusch 1 Reply Last reply Reply Quote 1
                                  • Dashrender
                                    Dashrender @JaredBusch last edited by

                                    @JaredBusch said in Securing SSH:

                                    @Dashrender said in Securing SSH:

                                    @JaredBusch said in Securing SSH:

                                    @Dashrender said in Securing SSH:

                                    So all of the public keys go into that single authorized_keys file?

                                    It is in the user directory. All of that user's keys are there.

                                    But again, these are public keys.

                                    Yeah, I wasn't worried about a security situation... but I'm guessing by making the keys part of the profile on the end controlled device, that is what sets what user is logged in via the key, since there is no username associated with the key itself.
                                    Just talking this through to myself.

                                    Thanks.

                                    The username is specified at login. this has nothing to do with the key.

                                    ssh [email protected]
                                    

                                    you can easily use this key for root if you like to be unsecure.

                                    ssh [email protected]
                                    

                                    Thanks, I stand corrected.

                                    1 Reply Last reply Reply Quote 0
                                    • JaredBusch
                                      JaredBusch @DustinB3403 last edited by

                                      @DustinB3403 said in Securing SSH:

                                      @hobbit666 said in Securing SSH:

                                      @JaredBusch said in Securing SSH:

                                      This is your friend.

                                      ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
                                      

                                      command not found in powershell 🙂 bu that's a windows problem.

                                      That's because windows doesn't have an ssh-copy-id function. You're expected to know to manually copy the file into .ssh

                                      That's his problem for using a shitty OS, not mine.

                                      hobbit666 1 Reply Last reply Reply Quote 4
                                      • hobbit666
                                        hobbit666 @JaredBusch last edited by

                                        @JaredBusch :face_with_stuck-out_tongue_winking_eye: :face_with_stuck-out_tongue_winking_eye: :face_with_stuck-out_tongue_closed_eyes: :face_with_stuck-out_tongue_closed_eyes:
                                        I'll try moving to Fedora again at some point.

                                        1 Reply Last reply Reply Quote 1
                                        • hobbit666
                                          hobbit666 last edited by

                                          So, I've done the keys and all is working with my Zabbix and Unifi servers. Not disabled password logins yet (apart from root).

                                          DustinB3403 1 Reply Last reply Reply Quote 1
                                          • DustinB3403
                                            DustinB3403 @hobbit666 last edited by

                                            @hobbit666 said in Securing SSH:

                                            So, I've done the keys and all is working with my Zabbix and Unifi servers. Not disabled password logins yet (apart from root).

                                            If you're keys work, you should disable the password logins.

                                            hobbit666 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post