ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    Securing SSH

    IT Discussion
    ssh ssh keys security
    11
    60
    706
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pmoncho @black3dynamite last edited by

      @black3dynamite said in Securing SSH:

      @DustinB3403 said in Securing SSH:

      @black3dynamite said in Securing SSH:

      @DustinB3403 said in Securing SSH:

      @pmoncho said in Securing SSH:

      @black3dynamite said in Securing SSH:

      On my Fedora laptop and desktop this is what I do.

      # Generating a new ED25519 key with a password
      ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519
      

      May be a stupid question but, should we use passwords?

      You can, but you'd have to enter that password every time to connect using your SSH key.

      Unless use ssh-agent.

      How is ssh-agent storing your keypair password? It would have to be plain-text, wouldn't it? Which kind of defeats the point of adding a password to the keypair if the password for the pair is in plain-text. . .

      It's not stored in plain-text.

      https://www.emtec.com/ssh/agent.html
      c13e81b6-b25e-4ecb-9fee-94fb1ed55391-image.png

      Well damn. This is interesting to know. If that is the case, it just may be beneficial to use a passphrase if only done once per 8 hours. I can handle that.

      1 Reply Last reply Reply Quote 3
      • hobbit666
        hobbit666 last edited by

        Silly question, i think i know the answer but checking 🙂
        If i'm using a windows machine logging in as a domain user - [email protected]

        I want to use SSH key pairs to log into my Zabbix Server. This was setup (On linux CentOS8) with two users when installing "root" and "zabb02".

        Do i need a user called myname (or [email protected]) on the zabbix server?

        Also guess i generate the key pair on my Windows machine and upload the pub side to the Server(s)

        Dashrender scottalanmiller 2 Replies Last reply Reply Quote 0
        • Dashrender
          Dashrender @hobbit666 last edited by

          @hobbit666 said in Securing SSH:

          Silly question, i think i know the answer but checking 🙂
          If i'm using a windows machine logging in as a domain user - [email protected]

          I want to use SSH key pairs to log into my Zabbix Server. This was setup (On linux CentOS8) with two users when installing "root" and "zabb02".

          Do i need a user called myname (or [email protected]) on the zabbix server?

          Also guess i generate the key pair on my Windows machine and upload the pub side to the Server(s)

          I'm taking a stab here because it's been two hours with no reply.

          I'm going to say no, you don't I have several VMs that I SSH into all the time, and non of them have my domain account on them, yet the Windows machine I'm on is on an AD.

          You could try to setup pass-through authentication, but the whole keypair thing goes away (I think)... though you could try to setup kerberos authentication on your Zabbix box so you can login using AD creds.

          1 Reply Last reply Reply Quote 0
          • scottalanmiller
            scottalanmiller @hobbit666 last edited by

            @hobbit666 said in Securing SSH:

            Do i need a user called myname (or [email protected]) on the zabbix server?

            No, you use any name you want on Zabbix.

            JaredBusch 1 Reply Last reply Reply Quote 0
            • JaredBusch
              JaredBusch @scottalanmiller last edited by

              @scottalanmiller said in Securing SSH:

              @hobbit666 said in Securing SSH:

              Do i need a user called myname (or [email protected]) on the zabbix server?

              No, you use any name you want on Zabbix.

              More specifically, on your desktop get used to typing ssh [email protected] instead of just ssh ip.add.re.ss

              Or create a command alias: https://docs.microsoft.com/en-us/windows/console/console-aliases

              1 Reply Last reply Reply Quote 2
              • hobbit666
                hobbit666 last edited by

                Updated 2nd post

                1 Reply Last reply Reply Quote 0
                • Dashrender
                  Dashrender @hobbit666 last edited by

                  @hobbit666 said in Securing SSH:

                  Steps I used to connect to my Zabbix Server (CentOS 😎 from Win10

                  created a folder c:\users<username>.ssh
                  in powershell ran this command

                   ssh-keygen -o -a 100 -t ed25519 -C "[email protected] Desktop"
                  

                  Typed on the password i wanted to use (you can run a different command to have a password less key - see below)
                  This generated two files in .ssh - id_ed25519 and id_ed25519.pub

                  still in powershell i ssh'd onto the zabbix server

                  ssh <user>@<ip>
                  

                  Once in ran the following commands

                  sudo mkdir ~/.ssh
                  sudo nano ~/.ssh/authorized_keys
                  

                  copy the contents of the .pub file on the windows machine

                  sudo chown YourUserName:YourUserName ~/.ssh -R
                  sudo chmod 700 ~/.ssh
                  sudo chmod 600 ~/.ssh/authorized_keys
                  

                  Then from powershell ssh <user>@<ip> and it just asked me for the key password and i'm in 😄

                  Updated - 28/02/2020

                  So all of the public keys go into that single authorized_keys file? or does each user on the remote system have their own authorized_keys file?

                  hobbit666 JaredBusch 2 Replies Last reply Reply Quote 0
                  • hobbit666
                    hobbit666 @Dashrender last edited by hobbit666

                    @Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go 🙂
                    but my guess is in the same authorized_keys file on a separate line

                    JaredBusch 1 Reply Last reply Reply Quote 0
                    • JaredBusch
                      JaredBusch @Dashrender last edited by

                      @Dashrender said in Securing SSH:

                      So all of the public keys go into that single authorized_keys file?

                      It is in the user directory. All of that user's keys are there.

                      But again, these are public keys.

                      Dashrender 1 Reply Last reply Reply Quote 0
                      • JaredBusch
                        JaredBusch @hobbit666 last edited by JaredBusch

                        @hobbit666 said in Securing SSH:

                        @Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go 🙂
                        but my guess is in the same authorized_keys file on a separate line

                        This is your friend.

                        ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
                        

                        if you only have a single public key you can simplify it to

                        ssh-copy-id [email protected]
                        

                        I specify because my desktop has a few different generated keys.
                        3ff95aa0-de1f-4a83-b1c3-74c0919f78c8-image.png

                        hobbit666 wirestyle22 2 Replies Last reply Reply Quote 2
                        • Dashrender
                          Dashrender @JaredBusch last edited by

                          @JaredBusch said in Securing SSH:

                          @Dashrender said in Securing SSH:

                          So all of the public keys go into that single authorized_keys file?

                          It is in the user directory. All of that user's keys are there.

                          But again, these are public keys.

                          Yeah, I wasn't worried about a security situation... but I'm guessing by making the keys part of the profile on the end controlled device, that is what sets what user is logged in via the key, since there is no username associated with the key itself.
                          Just talking this through to myself.

                          Thanks.

                          JaredBusch 1 Reply Last reply Reply Quote 0
                          • JaredBusch
                            JaredBusch @Dashrender last edited by

                            @Dashrender said in Securing SSH:

                            @JaredBusch said in Securing SSH:

                            @Dashrender said in Securing SSH:

                            So all of the public keys go into that single authorized_keys file?

                            It is in the user directory. All of that user's keys are there.

                            But again, these are public keys.

                            Yeah, I wasn't worried about a security situation... but I'm guessing by making the keys part of the profile on the end controlled device, that is what sets what user is logged in via the key, since there is no username associated with the key itself.
                            Just talking this through to myself.

                            Thanks.

                            The username is specified at login. this has nothing to do with the key.

                            ssh [email protected]
                            

                            you can easily use this key for root if you like to be unsecure.

                            ssh [email protected]
                            
                            Dashrender 1 Reply Last reply Reply Quote 1
                            • hobbit666
                              hobbit666 @JaredBusch last edited by

                              @JaredBusch said in Securing SSH:

                              This is your friend.

                              ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
                              

                              command not found in powershell 🙂 bu that's a windows problem.

                              DustinB3403 1 Reply Last reply Reply Quote 0
                              • DustinB3403
                                DustinB3403 @hobbit666 last edited by

                                @hobbit666 said in Securing SSH:

                                @JaredBusch said in Securing SSH:

                                This is your friend.

                                ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
                                

                                command not found in powershell 🙂 bu that's a windows problem.

                                That's because windows doesn't have an ssh-copy-id function. You're expected to know to manually copy the file into .ssh

                                JaredBusch 1 Reply Last reply Reply Quote 1
                                • Dashrender
                                  Dashrender @JaredBusch last edited by

                                  @JaredBusch said in Securing SSH:

                                  @Dashrender said in Securing SSH:

                                  @JaredBusch said in Securing SSH:

                                  @Dashrender said in Securing SSH:

                                  So all of the public keys go into that single authorized_keys file?

                                  It is in the user directory. All of that user's keys are there.

                                  But again, these are public keys.

                                  Yeah, I wasn't worried about a security situation... but I'm guessing by making the keys part of the profile on the end controlled device, that is what sets what user is logged in via the key, since there is no username associated with the key itself.
                                  Just talking this through to myself.

                                  Thanks.

                                  The username is specified at login. this has nothing to do with the key.

                                  ssh [email protected]
                                  

                                  you can easily use this key for root if you like to be unsecure.

                                  ssh [email protected]
                                  

                                  Thanks, I stand corrected.

                                  1 Reply Last reply Reply Quote 0
                                  • JaredBusch
                                    JaredBusch @DustinB3403 last edited by

                                    @DustinB3403 said in Securing SSH:

                                    @hobbit666 said in Securing SSH:

                                    @JaredBusch said in Securing SSH:

                                    This is your friend.

                                    ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
                                    

                                    command not found in powershell 🙂 bu that's a windows problem.

                                    That's because windows doesn't have an ssh-copy-id function. You're expected to know to manually copy the file into .ssh

                                    That's his problem for using a shitty OS, not mine.

                                    hobbit666 1 Reply Last reply Reply Quote 4
                                    • hobbit666
                                      hobbit666 @JaredBusch last edited by

                                      @JaredBusch :face_with_stuck-out_tongue_winking_eye: :face_with_stuck-out_tongue_winking_eye: :face_with_stuck-out_tongue_closed_eyes: :face_with_stuck-out_tongue_closed_eyes:
                                      I'll try moving to Fedora again at some point.

                                      1 Reply Last reply Reply Quote 1
                                      • hobbit666
                                        hobbit666 last edited by

                                        So, I've done the keys and all is working with my Zabbix and Unifi servers. Not disabled password logins yet (apart from root).

                                        DustinB3403 1 Reply Last reply Reply Quote 1
                                        • DustinB3403
                                          DustinB3403 @hobbit666 last edited by

                                          @hobbit666 said in Securing SSH:

                                          So, I've done the keys and all is working with my Zabbix and Unifi servers. Not disabled password logins yet (apart from root).

                                          If you're keys work, you should disable the password logins.

                                          hobbit666 1 Reply Last reply Reply Quote 0
                                          • hobbit666
                                            hobbit666 @DustinB3403 last edited by

                                            @DustinB3403 I will once i've played around a bit more with changing other settings for SSH.

                                            DustinB3403 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post