Table of content

Server
Client

Installation of an SSH server, allowing a secure connection to a computer. The only authentication mechanism that will be authorized is the ssh key. So to secure a little more the server, protection against brute force attacks will be set up, and ssh fingerprints will be published using the DNS.

Follow-up: SSHFP, blacklistd, sshguard

Server

Connexion

Only version 2 of the SSH protocol is allowed to connect, version 1 is now obsolete. Additionally, X11 port forwarding is prohibited, as we consider a server where no graphical applications are hosted.

sshd_config

# Connexion
#--------------------------------------------------
Protocol                                2
X11Forwarding                           no
TCPKeepAlive                            yes
Compression                             yes

Security

sshd_config

1
2
3

# Security / Audit
#--------------------------------------------------
UseBlacklist                            yes

Authentication and Authorization

Only login which identify the user with an ssh key is allowed, this is more reliable than a simple password that can be easily guessed or found through a brute force attack. If the user root need to be able to login, the PermitRootLogin directive need to be set to prohibit-password.

sshd_config

# Authentification / Autorisation
#--------------------------------------------------
PubkeyAuthentication                    yes
ChallengeResponseAuthentication         no
PasswordAuthentication                  no
KerberosAuthentication                  no
GSSAPIAuthentication                    no
HostbasedAuthentication                 no
PermitEmptyPasswords                    no
PermitRootLogin                         no

Information about connections

To keep the user informed of his previous connections (allowing it to detect fraudulent login) and to get information about the status of the server, the following information is submitted to each connection:

the date and origin (IP address) of his last connection
status or server-specific message (entered by the administrator in /etc/issue.net)

sshd_config

# Information about connections
#--------------------------------------------------
PrintLastLog                            yes
PrintMotd                               yes
Banner                                  /etc/issue.net

Sub-system (sftp)

Allows the use of the sftp command, which is a kind of ftp client but for ssh.

sshd_config

1
2
3

# sftp
#--------------------------------------------------
Subsystem       sftp    /usr/libexec/sftp-server

Client

The ssh client is configured through the ~/.ssh/config file, it allows to specify specific options based on the host to contact.

Alternate key/port

A classic example is to use a different ssh key and a different port number:

~/.ssh/config

1
2
3

Host cottage.example.com
  IdentityFile ~/.ssh/my_other_private_key
  Port 115

Port forwarding

1	`ssh -n -L 1234:host.example.com:2345 gateway.example.com`

Proxy

Proxy SOCKS

1	`ssh -D 1337 -C -N -n gw@styx.example.com`

Proxy jump

1	`ssh -J sauron@mordor.example.com gollum@my-precious.example.com`

~/.ssh/config

Host my-precious
    HostName my-precious.example.com
    ProxyJump root@mordor.example.com
    User gollum