Post on 18-Jul-2015
Enhancing ssh Configuration
David ProffittJanet NOC
FLOSS Spring 2015York
(More fun with ssh config)
~/.ssh/config~/.ssh/authorized_keys/etc/ssh/sshd_config
examples Debian specific
should work with RH, FreeBSD, solaris, MacOS ...
Client options
ssh -X -v -l bill -i ~/.ssh/yorkkey -4 york.domain.net
~/.ssh/config
doesn't exist by default
overides defaults from /etc/ssh/ssh_config
1. command line options
2. user-specific file
3. system-wide file
Host Aliases
Convenient text labels
Host york
Host yorkHostName york.domain.net
Host yorkHostName 123.45.67.89
ssh york.domain.net(assumes current user name)
ssh -l bill york.domain.net
ssh bill@york.domain.net
Host yorkUser bill
ssh york
Multiple aliases are possible
host york,web
Host yorkUser ben
Host brightonUser bill
Host newcastlePort 1234
Host yorkUser ben
IdentityFile /home/bill/.ssh/yorkkey
ForwardAgent yes(Use with Caution)
Protocol 2
AddressFamily inet
PubkeyAuthentication no
ForwardX11 yes(assuming allowed on server)
ServerAliveInterval 120
Wildcards
Host *
Host *user bill
Any configuration value is only changed the first time it is set.
man ssh
Thus, host-specific definitions should be at the beginning of theconfiguration file, and defaults at the end.
ssh -v yorkOpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013debug1: Reading configuration data /home/bill/.ssh/configdebug1: /home/bill/.ssh/config line 19: Applying options for *debug1: /home/bill/.ssh/config line 363: Applying options for yorkdebug1: Reading configuration data /etc/ssh/ssh_configdebug1: /etc/ssh/ssh_config line 19: Applying options for *debug1: Connecting to york.ja.net [123.45.67.89] port 22.debug1: Connection established.
ControlingKeyAccess
~/.ssh/authorized_keys
ssh-keygen -f ~/.ssh/yorkkey
ssh-keygen -f yorkkeyGenerating public/private rsa key pair.Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in yorkkey.Your public key has been saved in yorkkey.pub.The key fingerprint is:d6:63:83:d3:c1:ba:cc:17:9a:e6:04:cf:1f:c1:30:cf bill@brightonThe key's randomart image is:+--[ RSA 2048]----+| || . || o o || @ . || . S E || B * = || @ o || + o . || . . |+-----------------+
yorkkeyyorkkey.pub
-rw------- 1 bill bill 1.8K Mar 23 16:22 yorkkey
cat yorkkey.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9pNHNuFYp0kKYtxmmKs20bgBhMdj24U7KuWz6KbuMaIrgCib69z3uoYuD3WYiYoUvoB00M5zqZgC3M0f3+4Y5iXJpKnmaHFf4fpFz2Zru6WQmOyhnhvWMDQJm9nty9w6JoP2GM5bqZKGNzOLtkfPf3e26QliCKdrQzgFmlviFultSQU8/kPxxhFlu4JjwyRzlqCpMX/Ltr8w/fgmBd15NZqYRfJnU/tCjlLim9X+0FND/hKz6zabmNUcJe3gkyPb7noadevnKJtS3K+RPCivgT51lf77TBb398H4xNcoVTCRXBthC1PBmoCt1stwfYcM4JTXoe3henWT5ViGAyFyV bill@brighton
default comment user@host
ssh-copy-id -i ~/.ssh/yorkkey york
~/.ssh/authorized_keys
You can add key specific options to the beginning of each line (options separated by commas)
from=
from="123.45.67.89"
from="123.45.67.89/24"
from="1234:560:0:70::89"
from="123.45.67.89,1234:560:0:70::89"
from="brighton.domain.net"
from="*.domain.net"
from="!*.brighton.domain.net,*.domain.net"
no-agent-forwarding
no-port-forwarding
no-pty
no-X11-forwarding
permitopen="localhost:1234"
command="command"
environment="PATH=/bin:/usr/bin/"
debug1: Remote: Bad options in /home/bill/.ssh/authorized_keys file, line 2: fron="123.45.67.89,1234:567:8:90::12" ssh-rsa AAAA
Server options
sshd_config
/etc/ssh/sshd_config
Requires restart of sshd
/etc/init.d/ssh
try-restart
sshd -t
OOB access?ILOM etc.
Defaults included as comments
PermitRootLogin no
StrictModes
X11Forwarding
AgentForwarding
PasswordAuthentication
UsePAM yes
Only allow specific users
AllowUsersDenyUsers
AllowUsers
AllowUsers bill
(exclusive)
AllowUsers bill ben
AllowUsers bill@123.45.67.89 bill@1234:567:0:80::11
AllowUsers bill@123.45.67.89 AllowUsers bill@1234:567:0:80::11
AllowGroups
AllowGroups sshussers
Standard uxix groups
/etc/group
Standard admin tools for managing group membership
no need to keep restarting sshd
Combining rules
Deny then allow
DenyUsersAllowUsersDenyGroupsAllowGroups
Specific Overrides
Match Operator
Must be at the end of the file
PasswordAuthentication no...Match User bill PasswordAuthentication yes
Match Group
Match !Group
Match Address
Match Address 123.456.789.10 PasswordAuthentication yes
Match Host brighton.example.net
Match User trusty Address 123.45.67.* X11Forwarding yes
Match User nagiosPasswordAuthentication noRSAAuthentication yesPubkeyAuthentication yesBanner none
(Banner may break some automated logins)... is your shell clean
related options
chroot sftp
(similar to proftpd)
Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Match group sftponly X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp -u 0002 ChrootDirectory %h
Also possible to jail shell accountsbut needs static shell
Rate Limiting
MaxStartups 10
MaxStartups 10:30:60
Troubleshooting
SyslogFacility AUTHLogLevel INFO
LogLevel DEBUG
ssh -vvv
ben@brighton:~$ ssh -v yorkOpenSSH_6.xxx Debian-4+deb7u2, OpenSSL 1.2.3 12 Feb 1804debug1: Reading configuration data /home/ben/.ssh/configdebug1: /home/ben/.ssh/config line 12: Applying options for *debug1: /home/ben/.ssh/config line 456: Applying options for yorkdebug1: Reading configuration data /etc/ssh/ssh_configdebug1: /etc/ssh/ssh_config line 19: Applying options for *debug1: Connecting to york.domain.net [123.456.78.9] port 22.debug1: Connection established.debug1: identity file /home/ben/.ssh/yorkkey type 1debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048debug1: identity file /home/ben/.ssh/yorkkey-cert type -1debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u2debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH*debug1: Enabling compatibility mode for protocol 2.0debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2debug1: SSH2_MSG_KEXINIT sentdebug1: SSH2_MSG_KEXINIT receiveddebug1: kex: server->client aes128-ctr hmac-md5 nonedebug1: kex: client->server aes128-ctr hmac-md5 nonedebug1: sending SSH2_MSG_KEX_ECDH_INITdebug1: expecting SSH2_MSG_KEX_ECDH_REPLYdebug1: Server host key: RSA 12:34:56:78:12:34:56:78:90:12:34:56:78:90debug1: Host 'york.domain.net' is known and matches the RSA host key.debug1: Found key in /home/ben/.ssh/known_hosts:123debug1: ssh_rsa_verify: signature correctdebug1: SSH2_MSG_NEWKEYS sentdebug1: expecting SSH2_MSG_NEWKEYSdebug1: SSH2_MSG_NEWKEYS receiveddebug1: Roaming not allowed by serverdebug1: SSH2_MSG_SERVICE_REQUEST sentdebug1: SSH2_MSG_SERVICE_ACCEPT received====================================This is a private systemUnauthorised access is prohibited!All access attempts are logged====================================debug1: Authentications that can continue: publickey,passworddebug1: Next authentication method: publickeydebug1: Offering RSA public key: /home/ben/.ssh/yorkkeydebug1: Server accepts key: pkalg ssh-rsa blen 279debug1: Authentication succeeded (publickey).Authenticated to york.domain.net ([123.456.78.9]:22).debug1: channel 0: new [client-session]debug1: Requesting no-more-sessions@openssh.comdebug1: Entering interactive session.debug1: Requesting authentication agent forwarding.debug1: Sending environment.debug1: Sending env LANG = en_GB.UTF-8Linux york 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 Welcome to york.domain.net
You have mail.Last login: Fri Feb 6 14:24:43 2015 from brighton.domain.netben@york:~$
/var/log/auth.log
or check syslog config
Feb 6 15:47:18 york sshd[12345]: User bill from brighton.domain.net not allowed because not listed in AllowUsers
Feb 6 15:47:29 york sshd[12345]: Failed password for invalid user bill from 123.45.67.89 port 45678 ssh2
Questions?
David Proffitt FLOSS Spring 2015
York