ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    Securing SSH

    IT Discussion
    ssh ssh keys security
    11
    60
    702
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBusch
      JaredBusch @Dashrender last edited by

      @Dashrender said in Securing SSH:

      @JaredBusch said in Securing SSH:

      @Dashrender said in Securing SSH:

      So all of the public keys go into that single authorized_keys file?

      It is in the user directory. All of that user's keys are there.

      But again, these are public keys.

      Yeah, I wasn't worried about a security situation... but I'm guessing by making the keys part of the profile on the end controlled device, that is what sets what user is logged in via the key, since there is no username associated with the key itself.
      Just talking this through to myself.

      Thanks.

      The username is specified at login. this has nothing to do with the key.

      ssh [email protected]
      

      you can easily use this key for root if you like to be unsecure.

      ssh [email protected]
      
      Dashrender 1 Reply Last reply Reply Quote 1
      • hobbit666
        hobbit666 @JaredBusch last edited by

        @JaredBusch said in Securing SSH:

        This is your friend.

        ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
        

        command not found in powershell 🙂 bu that's a windows problem.

        DustinB3403 1 Reply Last reply Reply Quote 0
        • DustinB3403
          DustinB3403 @hobbit666 last edited by

          @hobbit666 said in Securing SSH:

          @JaredBusch said in Securing SSH:

          This is your friend.

          ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
          

          command not found in powershell 🙂 bu that's a windows problem.

          That's because windows doesn't have an ssh-copy-id function. You're expected to know to manually copy the file into .ssh

          JaredBusch 1 Reply Last reply Reply Quote 1
          • Dashrender
            Dashrender @JaredBusch last edited by

            @JaredBusch said in Securing SSH:

            @Dashrender said in Securing SSH:

            @JaredBusch said in Securing SSH:

            @Dashrender said in Securing SSH:

            So all of the public keys go into that single authorized_keys file?

            It is in the user directory. All of that user's keys are there.

            But again, these are public keys.

            Yeah, I wasn't worried about a security situation... but I'm guessing by making the keys part of the profile on the end controlled device, that is what sets what user is logged in via the key, since there is no username associated with the key itself.
            Just talking this through to myself.

            Thanks.

            The username is specified at login. this has nothing to do with the key.

            ssh [email protected]
            

            you can easily use this key for root if you like to be unsecure.

            ssh [email protected]
            

            Thanks, I stand corrected.

            1 Reply Last reply Reply Quote 0
            • JaredBusch
              JaredBusch @DustinB3403 last edited by

              @DustinB3403 said in Securing SSH:

              @hobbit666 said in Securing SSH:

              @JaredBusch said in Securing SSH:

              This is your friend.

              ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
              

              command not found in powershell 🙂 bu that's a windows problem.

              That's because windows doesn't have an ssh-copy-id function. You're expected to know to manually copy the file into .ssh

              That's his problem for using a shitty OS, not mine.

              hobbit666 1 Reply Last reply Reply Quote 4
              • hobbit666
                hobbit666 @JaredBusch last edited by

                @JaredBusch :face_with_stuck-out_tongue_winking_eye: :face_with_stuck-out_tongue_winking_eye: :face_with_stuck-out_tongue_closed_eyes: :face_with_stuck-out_tongue_closed_eyes:
                I'll try moving to Fedora again at some point.

                1 Reply Last reply Reply Quote 1
                • hobbit666
                  hobbit666 last edited by

                  So, I've done the keys and all is working with my Zabbix and Unifi servers. Not disabled password logins yet (apart from root).

                  DustinB3403 1 Reply Last reply Reply Quote 1
                  • DustinB3403
                    DustinB3403 @hobbit666 last edited by

                    @hobbit666 said in Securing SSH:

                    So, I've done the keys and all is working with my Zabbix and Unifi servers. Not disabled password logins yet (apart from root).

                    If you're keys work, you should disable the password logins.

                    hobbit666 1 Reply Last reply Reply Quote 0
                    • hobbit666
                      hobbit666 @DustinB3403 last edited by

                      @DustinB3403 I will once i've played around a bit more with changing other settings for SSH.

                      DustinB3403 1 Reply Last reply Reply Quote 0
                      • DustinB3403
                        DustinB3403 @hobbit666 last edited by

                        @hobbit666 Don't forget that you can set a password on your keys if you really want to have a more secured access process.

                        hobbit666 1 Reply Last reply Reply Quote 0
                        • hobbit666
                          hobbit666 @DustinB3403 last edited by

                          @DustinB3403 I've already got the password on the keys. I've just not disabled password logins in case i kill something and need to get access :). Planning on removing it once i've "SSH Key's" the other servers.

                          DustinB3403 P 2 Replies Last reply Reply Quote 0
                          • DustinB3403
                            DustinB3403 @hobbit666 last edited by

                            @hobbit666 said in Securing SSH:

                            @DustinB3403 I've already got the password on the keys. I've just not disabled password logins in case i kill something and need to get access :). Planning on removing it once i've "SSH Key's" the other servers.

                            Have you confirmed that key based login works? If so, then you login as [email protected] and elevate to root. Disable root login period via ssh and only allow elevation.

                            1 Reply Last reply Reply Quote 0
                            • P
                              pmoncho @hobbit666 last edited by

                              @hobbit666 said in Securing SSH:

                              @DustinB3403 I've already got the password on the keys. I've just not disabled password logins in case i kill something and need to get access :). Planning on removing it once i've "SSH Key's" the other servers.

                              Don't forget, you can still login as root or a admin user on the console. You are only securing ssh.

                              If you want to test, login to the console of the server (stay logged in), change your sshd_config, restart sshd process, test logging in with your keys and/or any other testing you want to do. If all is well, log out of the console.

                              1 Reply Last reply Reply Quote 2
                              • wirestyle22
                                wirestyle22 @JaredBusch last edited by wirestyle22

                                @JaredBusch said in Securing SSH:

                                @hobbit666 said in Securing SSH:

                                @Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go 🙂
                                but my guess is in the same authorized_keys file on a separate line

                                This is your friend.

                                ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
                                

                                if you only have a single public key you can simplify it to

                                ssh-copy-id [email protected]
                                

                                I specify because my desktop has a few different generated keys.
                                3ff95aa0-de1f-4a83-b1c3-74c0919f78c8-image.png

                                How does this fit into disaster recovery plans when you have many hundreds of ssh keys and a large IT team? If one person has 100 keys to various servers and their laptop dies, are you guys using a script to copy the keys per user? Also new user creation or deleting keys when someone leaves

                                JaredBusch coliver 2 Replies Last reply Reply Quote 1
                                • JaredBusch
                                  JaredBusch @wirestyle22 last edited by

                                  @wirestyle22 said in Securing SSH:

                                  @JaredBusch said in Securing SSH:

                                  @hobbit666 said in Securing SSH:

                                  @Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go 🙂
                                  but my guess is in the same authorized_keys file on a separate line

                                  This is your friend.

                                  ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
                                  

                                  if you only have a single public key you can simplify it to

                                  ssh-copy-id [email protected]
                                  

                                  I specify because my desktop has a few different generated keys.
                                  3ff95aa0-de1f-4a83-b1c3-74c0919f78c8-image.png

                                  How does this fit into disaster recovery plans when you have many hundreds of ssh keys and a large IT team? If one person has 100 keys to various servers and their laptop dies, are you guys using a script to copy the keys per user? Also new user creation or deleting keys when someone leaves

                                  No one has 100 keys unless they have 100 desktops.

                                  But yes. you can easily script this.

                                  See:

                                  @scottalanmiller said in Securing SSH:

                                  Correct. We put our public keys into scripts to deploy and have them listed on a wiki, too. So that it is easy to add users to a system.

                                  1 Reply Last reply Reply Quote 1
                                  • coliver
                                    coliver @wirestyle22 last edited by

                                    @wirestyle22 said in Securing SSH:

                                    @JaredBusch said in Securing SSH:

                                    @hobbit666 said in Securing SSH:

                                    @Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go 🙂
                                    but my guess is in the same authorized_keys file on a separate line

                                    This is your friend.

                                    ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
                                    

                                    if you only have a single public key you can simplify it to

                                    ssh-copy-id [email protected]
                                    

                                    I specify because my desktop has a few different generated keys.
                                    3ff95aa0-de1f-4a83-b1c3-74c0919f78c8-image.png

                                    How does this fit into disaster recovery plans when you have many hundreds of ssh keys and a large IT team? If one person has 100 keys to various servers and their laptop dies, are you guys using a script to copy the keys per user? Also new user creation or deleting keys when someone leaves

                                    There is also a way to do a trusted key broker. So you have a single CA that verifies your identity.

                                    stacksofplates 1 Reply Last reply Reply Quote 1
                                    • stacksofplates
                                      stacksofplates @coliver last edited by

                                      @coliver said in Securing SSH:

                                      @wirestyle22 said in Securing SSH:

                                      @JaredBusch said in Securing SSH:

                                      @hobbit666 said in Securing SSH:

                                      @Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go 🙂
                                      but my guess is in the same authorized_keys file on a separate line

                                      This is your friend.

                                      ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
                                      

                                      if you only have a single public key you can simplify it to

                                      ssh-copy-id [email protected]
                                      

                                      I specify because my desktop has a few different generated keys.
                                      3ff95aa0-de1f-4a83-b1c3-74c0919f78c8-image.png

                                      How does this fit into disaster recovery plans when you have many hundreds of ssh keys and a large IT team? If one person has 100 keys to various servers and their laptop dies, are you guys using a script to copy the keys per user? Also new user creation or deleting keys when someone leaves

                                      There is also a way to do a trusted key broker. So you have a single CA that verifies your identity.

                                      Right there's a few ways to do this. Key management through LDAP, SSH certs with a CA, rotating credentials with something like Vault, etc.

                                      IRJ 1 Reply Last reply Reply Quote 0
                                      • IRJ
                                        IRJ @stacksofplates last edited by

                                        @stacksofplates said in Securing SSH:

                                        @coliver said in Securing SSH:

                                        @wirestyle22 said in Securing SSH:

                                        @JaredBusch said in Securing SSH:

                                        @hobbit666 said in Securing SSH:

                                        @Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go 🙂
                                        but my guess is in the same authorized_keys file on a separate line

                                        This is your friend.

                                        ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]
                                        

                                        if you only have a single public key you can simplify it to

                                        ssh-copy-id [email protected]
                                        

                                        I specify because my desktop has a few different generated keys.
                                        3ff95aa0-de1f-4a83-b1c3-74c0919f78c8-image.png

                                        How does this fit into disaster recovery plans when you have many hundreds of ssh keys and a large IT team? If one person has 100 keys to various servers and their laptop dies, are you guys using a script to copy the keys per user? Also new user creation or deleting keys when someone leaves

                                        There is also a way to do a trusted key broker. So you have a single CA that verifies your identity.

                                        Right there's a few ways to do this. Key management through LDAP, SSH certs with a CA, rotating credentials with something like Vault, etc.

                                        You can do this something like Okta ASA as well.

                                        https://help.okta.com/en/prod/Content/Topics/Adv_Server_Access/docs/asa-overview.htm

                                        1 Reply Last reply Reply Quote 1
                                        • stacksofplates
                                          stacksofplates last edited by

                                          Another really good option is not letting them log directly into the systems at all and forcing them to use a config management tool. So something like Tower or a Jenkins server that logs all of the commands run and has the permissions set there.

                                          scottalanmiller 1 Reply Last reply Reply Quote 4
                                          • scottalanmiller
                                            scottalanmiller @stacksofplates last edited by

                                            @stacksofplates said in Securing SSH:

                                            Another really good option is not letting them log directly into the systems at all and forcing them to use a config management tool. So something like Tower or a Jenkins server that logs all of the commands run and has the permissions set there.

                                            Right. Just like the best defense is a good offense (or vice versa?) The most secure port, is a closed port. Locking down SSH, no matter how good, isn't as good as completely closing it.

                                            Or using config management to only open it when necessary, is an "in between" step, too.

                                            1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post