Securing SSH

Dashrender

@hobbit666 said in Securing SSH:

Silly question, i think i know the answer but checking
If i'm using a windows machine logging in as a domain user - [email protected]

I want to use SSH key pairs to log into my Zabbix Server. This was setup (On linux CentOS8) with two users when installing "root" and "zabb02".

Do i need a user called myname (or [email protected]) on the zabbix server?

Also guess i generate the key pair on my Windows machine and upload the pub side to the Server(s)

I'm taking a stab here because it's been two hours with no reply.

I'm going to say no, you don't I have several VMs that I SSH into all the time, and non of them have my domain account on them, yet the Windows machine I'm on is on an AD.

You could try to setup pass-through authentication, but the whole keypair thing goes away (I think)... though you could try to setup kerberos authentication on your Zabbix box so you can login using AD creds.

scottalanmiller

@hobbit666 said in Securing SSH:

Do i need a user called myname (or [email protected]) on the zabbix server?

No, you use any name you want on Zabbix.

JaredBusch

@scottalanmiller said in Securing SSH:

@hobbit666 said in Securing SSH:

Do i need a user called myname (or [email protected]) on the zabbix server?

No, you use any name you want on Zabbix.

More specifically, on your desktop get used to typing ssh [email protected] instead of just ssh ip.add.re.ss

Or create a command alias: https://docs.microsoft.com/en-us/windows/console/console-aliases

hobbit666

Updated 2nd post

Dashrender

@hobbit666 said in Securing SSH:

Steps I used to connect to my Zabbix Server (CentOS from Win10

created a folder c:\users<username>.ssh
in powershell ran this command

 ssh-keygen -o -a 100 -t ed25519 -C "[email protected] Desktop"

Typed on the password i wanted to use (you can run a different command to have a password less key - see below)
This generated two files in .ssh - id_ed25519 and id_ed25519.pub

still in powershell i ssh'd onto the zabbix server

ssh <user>@<ip>

Once in ran the following commands

sudo mkdir ~/.ssh
sudo nano ~/.ssh/authorized_keys

copy the contents of the .pub file on the windows machine

sudo chown YourUserName:YourUserName ~/.ssh -R
sudo chmod 700 ~/.ssh
sudo chmod 600 ~/.ssh/authorized_keys

Then from powershell ssh <user>@<ip> and it just asked me for the key password and i'm in

Updated - 28/02/2020

So all of the public keys go into that single authorized_keys file? or does each user on the remote system have their own authorized_keys file?

hobbit666

@Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go
but my guess is in the same authorized_keys file on a separate line

JaredBusch

@Dashrender said in Securing SSH:

So all of the public keys go into that single authorized_keys file?

It is in the user directory. All of that user's keys are there.

But again, these are public keys.

JaredBusch

@hobbit666 said in Securing SSH:

@Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go
but my guess is in the same authorized_keys file on a separate line

This is your friend.

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@ip

if you only have a single public key you can simplify it to

ssh-copy-id user@ip

I specify because my desktop has a few different generated keys.

Dashrender

@JaredBusch said in Securing SSH:

@Dashrender said in Securing SSH:

So all of the public keys go into that single authorized_keys file?

It is in the user directory. All of that user's keys are there.

But again, these are public keys.

Yeah, I wasn't worried about a security situation... but I'm guessing by making the keys part of the profile on the end controlled device, that is what sets what user is logged in via the key, since there is no username associated with the key itself.
Just talking this through to myself.

Thanks.

JaredBusch

@Dashrender said in Securing SSH:

@JaredBusch said in Securing SSH:

@Dashrender said in Securing SSH:

So all of the public keys go into that single authorized_keys file?

It is in the user directory. All of that user's keys are there.

But again, these are public keys.

Yeah, I wasn't worried about a security situation... but I'm guessing by making the keys part of the profile on the end controlled device, that is what sets what user is logged in via the key, since there is no username associated with the key itself.
Just talking this through to myself.

Thanks.

The username is specified at login. this has nothing to do with the key.

ssh user@ip

you can easily use this key for root if you like to be unsecure.

ssh root@ip

hobbit666

@JaredBusch said in Securing SSH:

This is your friend.

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@ip

command not found in powershell bu that's a windows problem.

DustinB3403

@hobbit666 said in Securing SSH:

@JaredBusch said in Securing SSH:

This is your friend.

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@ip

command not found in powershell bu that's a windows problem.

That's because windows doesn't have an ssh-copy-id function. You're expected to know to manually copy the file into .ssh

Dashrender

@JaredBusch said in Securing SSH:

@Dashrender said in Securing SSH:

@JaredBusch said in Securing SSH:

@Dashrender said in Securing SSH:

So all of the public keys go into that single authorized_keys file?

It is in the user directory. All of that user's keys are there.

But again, these are public keys.

Yeah, I wasn't worried about a security situation... but I'm guessing by making the keys part of the profile on the end controlled device, that is what sets what user is logged in via the key, since there is no username associated with the key itself.
Just talking this through to myself.

Thanks.

The username is specified at login. this has nothing to do with the key.

ssh user@ip

you can easily use this key for root if you like to be unsecure.

ssh root@ip

Thanks, I stand corrected.

JaredBusch

@DustinB3403 said in Securing SSH:

@hobbit666 said in Securing SSH:

@JaredBusch said in Securing SSH:

This is your friend.

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@ip

command not found in powershell bu that's a windows problem.

That's because windows doesn't have an ssh-copy-id function. You're expected to know to manually copy the file into .ssh

That's his problem for using a shitty OS, not mine.

hobbit666

@JaredBusch :face_with_stuck-out_tongue_winking_eye: :face_with_stuck-out_tongue_winking_eye: :face_with_stuck-out_tongue_closed_eyes: :face_with_stuck-out_tongue_closed_eyes:
I'll try moving to Fedora again at some point.

hobbit666

So, I've done the keys and all is working with my Zabbix and Unifi servers. Not disabled password logins yet (apart from root).

DustinB3403

@hobbit666 said in Securing SSH:

So, I've done the keys and all is working with my Zabbix and Unifi servers. Not disabled password logins yet (apart from root).

If you're keys work, you should disable the password logins.

hobbit666

@DustinB3403 I will once i've played around a bit more with changing other settings for SSH.

DustinB3403

@hobbit666 Don't forget that you can set a password on your keys if you really want to have a more secured access process.

hobbit666

@DustinB3403 I've already got the password on the keys. I've just not disabled password logins in case i kill something and need to get access :). Planning on removing it once i've "SSH Key's" the other servers.