Enhancing ssh Configuration

David ProffittJanet NOC

FLOSS Spring 2015York

(More fun with ssh config)

~/.ssh/config~/.ssh/authorized_keys/etc/ssh/sshd_config

examples Debian specific

should work with RH, FreeBSD, solaris, MacOS ...

Client options

ssh -X -v -l bill -i ~/.ssh/yorkkey -4 york.domain.net

~/.ssh/config

doesn't exist by default

overides defaults from /etc/ssh/ssh_config

1. command line options

2. user-specific file

3. system-wide file

Host Aliases

Convenient text labels

Host york

Host yorkHostName york.domain.net

Host yorkHostName 123.45.67.89

ssh york.domain.net(assumes current user name)

ssh -l bill york.domain.net

ssh bill@york.domain.net

Host yorkUser bill

ssh york

Multiple aliases are possible

host york,web

Host yorkUser ben

Host brightonUser bill

Host newcastlePort 1234

Host yorkUser ben

IdentityFile /home/bill/.ssh/yorkkey

ForwardAgent yes(Use with Caution)

Protocol 2

AddressFamily inet

PubkeyAuthentication no

ForwardX11 yes(assuming allowed on server)

ServerAliveInterval 120

Wildcards

Host *

Host *user bill

Any configuration value is only changed the first time it is set.

man ssh

Thus, host-specific definitions should be at the beginning of theconfiguration file, and defaults at the end.

ssh -v yorkOpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013debug1: Reading configuration data /home/bill/.ssh/configdebug1: /home/bill/.ssh/config line 19: Applying options for *debug1: /home/bill/.ssh/config line 363: Applying options for yorkdebug1: Reading configuration data /etc/ssh/ssh_configdebug1: /etc/ssh/ssh_config line 19: Applying options for *debug1: Connecting to york.ja.net [123.45.67.89] port 22.debug1: Connection established.

ControlingKeyAccess

~/.ssh/authorized_keys

ssh-keygen -f ~/.ssh/yorkkey

ssh-keygen -f yorkkeyGenerating public/private rsa key pair.Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in yorkkey.Your public key has been saved in yorkkey.pub.The key fingerprint is:d6:63:83:d3:c1:ba:cc:17:9a:e6:04:cf:1f:c1:30:cf bill@brightonThe key's randomart image is:+--[ RSA 2048]----+| || . || o o || @ . || . S E || B * = || @ o || + o . || . . |+-----------------+

yorkkeyyorkkey.pub

-rw------- 1 bill bill 1.8K Mar 23 16:22 yorkkey

cat yorkkey.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9pNHNuFYp0kKYtxmmKs20bgBhMdj24U7KuWz6KbuMaIrgCib69z3uoYuD3WYiYoUvoB00M5zqZgC3M0f3+4Y5iXJpKnmaHFf4fpFz2Zru6WQmOyhnhvWMDQJm9nty9w6JoP2GM5bqZKGNzOLtkfPf3e26QliCKdrQzgFmlviFultSQU8/kPxxhFlu4JjwyRzlqCpMX/Ltr8w/fgmBd15NZqYRfJnU/tCjlLim9X+0FND/hKz6zabmNUcJe3gkyPb7noadevnKJtS3K+RPCivgT51lf77TBb398H4xNcoVTCRXBthC1PBmoCt1stwfYcM4JTXoe3henWT5ViGAyFyV bill@brighton

default comment user@host

ssh-copy-id -i ~/.ssh/yorkkey york

~/.ssh/authorized_keys

You can add key specific options to the beginning of each line (options separated by commas)

from=

from="123.45.67.89"

from="123.45.67.89/24"

from="1234:560:0:70::89"

from="123.45.67.89,1234:560:0:70::89"

from="brighton.domain.net"

from="*.domain.net"

from="!*.brighton.domain.net,*.domain.net"

no-agent-forwarding

no-port-forwarding

no-pty

no-X11-forwarding

permitopen="localhost:1234"

command="command"

environment="PATH=/bin:/usr/bin/"

debug1: Remote: Bad options in /home/bill/.ssh/authorized_keys file, line 2: fron="123.45.67.89,1234:567:8:90::12" ssh-rsa AAAA

Server options

sshd_config

/etc/ssh/sshd_config

Requires restart of sshd

/etc/init.d/ssh

try-restart

sshd -t

OOB access?ILOM etc.

Defaults included as comments

PermitRootLogin no

StrictModes

X11Forwarding

AgentForwarding

PasswordAuthentication

UsePAM yes

Only allow specific users

AllowUsersDenyUsers

AllowUsers

AllowUsers bill

(exclusive)

AllowUsers bill ben

AllowUsers bill@123.45.67.89 bill@1234:567:0:80::11

AllowUsers bill@123.45.67.89 AllowUsers bill@1234:567:0:80::11

AllowGroups

AllowGroups sshussers

Standard uxix groups

/etc/group

Standard admin tools for managing group membership

no need to keep restarting sshd

Combining rules

Deny then allow

DenyUsersAllowUsersDenyGroupsAllowGroups

Specific Overrides

Match Operator

Must be at the end of the file

PasswordAuthentication no...Match User bill PasswordAuthentication yes

Match Group

Match !Group

Match Address

Match Address 123.456.789.10 PasswordAuthentication yes

Match Host brighton.example.net

Match User trusty Address 123.45.67.* X11Forwarding yes

Match User nagiosPasswordAuthentication noRSAAuthentication yesPubkeyAuthentication yesBanner none

(Banner may break some automated logins)... is your shell clean

related options

chroot sftp

(similar to proftpd)

Subsystem sftp /usr/lib/openssh/sftp-server

Subsystem sftp internal-sftp

Match group sftponly X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp -u 0002 ChrootDirectory %h

Also possible to jail shell accountsbut needs static shell

Rate Limiting

MaxStartups 10

MaxStartups 10:30:60

Troubleshooting

SyslogFacility AUTHLogLevel INFO

LogLevel DEBUG

ssh -vvv

ben@brighton:~$ ssh -v yorkOpenSSH_6.xxx Debian-4+deb7u2, OpenSSL 1.2.3 12 Feb 1804debug1: Reading configuration data /home/ben/.ssh/configdebug1: /home/ben/.ssh/config line 12: Applying options for *debug1: /home/ben/.ssh/config line 456: Applying options for yorkdebug1: Reading configuration data /etc/ssh/ssh_configdebug1: /etc/ssh/ssh_config line 19: Applying options for *debug1: Connecting to york.domain.net [123.456.78.9] port 22.debug1: Connection established.debug1: identity file /home/ben/.ssh/yorkkey type 1debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048debug1: identity file /home/ben/.ssh/yorkkey-cert type -1debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u2debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH*debug1: Enabling compatibility mode for protocol 2.0debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2debug1: SSH2_MSG_KEXINIT sentdebug1: SSH2_MSG_KEXINIT receiveddebug1: kex: server->client aes128-ctr hmac-md5 nonedebug1: kex: client->server aes128-ctr hmac-md5 nonedebug1: sending SSH2_MSG_KEX_ECDH_INITdebug1: expecting SSH2_MSG_KEX_ECDH_REPLYdebug1: Server host key: RSA 12:34:56:78:12:34:56:78:90:12:34:56:78:90debug1: Host 'york.domain.net' is known and matches the RSA host key.debug1: Found key in /home/ben/.ssh/known_hosts:123debug1: ssh_rsa_verify: signature correctdebug1: SSH2_MSG_NEWKEYS sentdebug1: expecting SSH2_MSG_NEWKEYSdebug1: SSH2_MSG_NEWKEYS receiveddebug1: Roaming not allowed by serverdebug1: SSH2_MSG_SERVICE_REQUEST sentdebug1: SSH2_MSG_SERVICE_ACCEPT received====================================This is a private systemUnauthorised access is prohibited!All access attempts are logged====================================debug1: Authentications that can continue: publickey,passworddebug1: Next authentication method: publickeydebug1: Offering RSA public key: /home/ben/.ssh/yorkkeydebug1: Server accepts key: pkalg ssh-rsa blen 279debug1: Authentication succeeded (publickey).Authenticated to york.domain.net ([123.456.78.9]:22).debug1: channel 0: new [client-session]debug1: Requesting no-more-sessions@openssh.comdebug1: Entering interactive session.debug1: Requesting authentication agent forwarding.debug1: Sending environment.debug1: Sending env LANG = en_GB.UTF-8Linux york 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 Welcome to york.domain.net

You have mail.Last login: Fri Feb 6 14:24:43 2015 from brighton.domain.netben@york:~$

/var/log/auth.log

or check syslog config

Feb 6 15:47:18 york sshd[12345]: User bill from brighton.domain.net not allowed because not listed in AllowUsers

Feb 6 15:47:29 york sshd[12345]: Failed password for invalid user bill from 123.45.67.89 port 45678 ssh2

Questions?

David Proffitt FLOSS Spring 2015

York