ssh client and server options

1. Enhancing ssh Configuration
David Proffitt
Janet NOC
FLOSS Spring 2015
York

2. (More fun with ssh config)

3. ~/.ssh/config
~/.ssh/authorized_keys
/etc/ssh/sshd_config

4. examples Debian specific
should work with RH, FreeBSD, solaris, MacOS ...

5. Client
options

6. ssh -X -v -l bill -i ~/.ssh/yorkkey -4 york.domain.net

7. ~/.ssh/config

8. doesn't exist by default

9. overides defaults from
/etc/ssh/ssh_config

10. 1. command line options
2. user-specific file
3. system-wide file

11. Host
Aliases

12. Convenient text labels

13. Host york

14. Host york
HostName york.domain.net

15. Host york
HostName 123.45.67.89

16. ssh york.domain.net
(assumes current user name)

17. ssh -l bill york.domain.net

18. ssh bill@york.domain.net

19. Host york
User bill

20. ssh york

21. Multiple aliases are possible

22. host york,web

23. Host york
User ben

24. Host brighton
User bill

25. Host newcastle
Port 1234

26. Host york
User ben
IdentityFile /home/bill/.ssh/yorkkey

27. ForwardAgent yes
(Use with Caution)

28. Protocol 2

29. AddressFamily inet

30. PubkeyAuthentication no

31. ForwardX11 yes
(assuming allowed on server)

32. ServerAliveInterval 120

33. Wildcards

34. Host *

35. Host *
user bill

36. Any configuration value is only changed the first time it is set.
man ssh

37. Thus, host-specific definitions should be at the beginning of the
configuration file, and defaults at the end.

38. ssh -v york
OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/bill/.ssh/config
debug1: /home/bill/.ssh/config line 19: Applying options for *
debug1: /home/bill/.ssh/config line 363: Applying options for york
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to york.ja.net [123.45.67.89] port 22.
debug1: Connection established.

39. Controling
Key
Access

40. ~/.ssh/authorized_keys

41. ssh-keygen -f ~/.ssh/yorkkey

42. ssh-keygen -f yorkkey
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in yorkkey.
Your public key has been saved in yorkkey.pub.
The key fingerprint is:
d6:63:83:d3:c1:ba:cc:17:9a:e6:04:cf:1f:c1:30:cf bill@brighton
The key's randomart image is:
+--[ RSA 2048]----+
| |
| . |
| o o |
| @ . |
| . S E |
| B * = |
| @ o |
| + o . |
| . . |
+-----------------+

43. yorkkey
yorkkey.pub

44. -rw------- 1 bill bill 1.8K Mar 23 16:22 yorkkey

45. cat yorkkey.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9pNHNuFYp0kKYtxmmKs20bgBhMdj
24U7KuWz6KbuMaIrgCib69z3uoYuD3WYiYoUvoB00M5zqZgC3M0f3+4Y5iXJpKnmaHF
f4fpFz2Zru6WQmOyhnhvWMDQJm9nty9w6JoP2GM5bqZKGNzOLtkfPf3e26QliCKdrQ
zgFmlviFultSQU8/kPxxhFlu4JjwyRzlqCpMX/Ltr8w/fgmBd15NZqYRfJnU/tCjlL
im9X+0FND/hKz6zabmNUcJe3gkyPb7noadevnKJtS3K+RPCivgT51lf77TBb398H4x
NcoVTCRXBthC1PBmoCt1stwfYcM4JTXoe3henWT5ViGAyFyV bill@brighton

46. default comment user@host

47. ssh-copy-id -i ~/.ssh/yorkkey york

48. ~/.ssh/authorized_keys

49. You can add key specific options to the beginning of each line
(options separated by commas)

50. from=

51. from="123.45.67.89"

52. from="123.45.67.89/24"

53. from="1234:560:0:70::89"

54. from="123.45.67.89,1234:560:0:70::89"

55. from="brighton.domain.net"

56. from="*.domain.net"

57. from="!*.brighton.domain.net,*.domain.net"

58. no-agent-forwarding

59. no-port-forwarding

60. no-pty

61. no-X11-forwarding

62. permitopen="localhost:1234"

63. command="command"

64. environment="PATH=/bin:/usr/bin/"

65. debug1: Remote: Bad options in /home/bill/.ssh/authorized_keys file,
line 2: fron="123.45.67.89,1234:567:8:90::12" ssh-rsa AAAA

66. Server options

67. sshd_config

68. /etc/ssh/sshd_config

69. Requires restart of sshd

70. /etc/init.d/ssh

71. try-restart

72. sshd -t

73. OOB access?
ILOM etc.

74. Defaults included as comments

75. PermitRootLogin no

76. StrictModes

77. X11Forwarding

78. AgentForwarding

79. PasswordAuthentication

80. UsePAM yes

81. Only allow specific users

82. AllowUsers
DenyUsers

83. AllowUsers

84. AllowUsers bill
(exclusive)

85. AllowUsers bill ben

86. AllowUsers bill@123.45.67.89 bill@1234:567:0:80::11

87. AllowUsers bill@123.45.67.89
AllowUsers bill@1234:567:0:80::11

88. AllowGroups

89. AllowGroups sshussers

90. Standard uxix groups
/etc/group

91. Standard admin tools for managing group membership
no need to keep restarting sshd

92. Combining rules

93. Deny then allow

94. DenyUsers
AllowUsers
DenyGroups
AllowGroups

95. Specific Overrides

96. Match Operator

97. Must be at the end of the file

98. PasswordAuthentication no
...
Match User bill
PasswordAuthentication yes

99. Match Group

100. Match !Group

101. Match Address

102. Match Address 123.456.789.10
PasswordAuthentication yes

103. Match Host brighton.example.net

104. Match User trusty Address 123.45.67.*
X11Forwarding yes

105. Match User nagios
PasswordAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes
Banner none
(Banner may break some automated logins)
... is your shell clean

106. related options

107. chroot sftp
(similar to proftpd)

108. Subsystem sftp /usr/lib/openssh/sftp-server

109. Subsystem sftp internal-sftp

110. Match group sftponly
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -u 0002
ChrootDirectory %h

111. Also possible to jail shell accounts
but needs static shell

112. Rate Limiting

113. MaxStartups 10

114. MaxStartups 10:30:60

115. Troubleshooting

116. SyslogFacility AUTH
LogLevel INFO

117. LogLevel DEBUG

118. ssh -vvv

119. ben@brighton:~$ ssh -v york
OpenSSH_6.xxx Debian-4+deb7u2, OpenSSL 1.2.3 12 Feb 1804
debug1: Reading configuration data /home/ben/.ssh/config
debug1: /home/ben/.ssh/config line 12: Applying options for *
debug1: /home/ben/.ssh/config line 456: Applying options for york
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to york.domain.net [123.456.78.9] port 22.
debug1: Connection established.
debug1: identity file /home/ben/.ssh/yorkkey type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/ben/.ssh/yorkkey-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u2
debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA 12:34:56:78:12:34:56:78:90:12:34:56:78:90
debug1: Host 'york.domain.net' is known and matches the RSA host key.
debug1: Found key in /home/ben/.ssh/known_hosts:123
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
====================================
This is a private system
Unauthorised access is prohibited!
All access attempts are logged
====================================
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ben/.ssh/yorkkey
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to york.domain.net ([123.456.78.9]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Requesting authentication agent forwarding.
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8
Linux york 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64
Welcome to york.domain.net
You have mail.
Last login: Fri Feb 6 14:24:43 2015 from brighton.domain.net
ben@york:~$

120. /var/log/auth.log

121. or check syslog config

122. Feb 6 15:47:18 york sshd[12345]:
User bill from brighton.domain.net
not allowed because not listed in AllowUsers

123. Feb 6 15:47:29 york sshd[12345]:
Failed password for invalid user bill
from 123.45.67.89 port 45678 ssh2

124. Questions?

125. David Proffitt
FLOSS Spring 2015
York