SSH
SSH ProxyJump option
Learn about the SSH client option ProxyJump, that allows using a bastion host or jump server to connect to other systems.
Summary
The ProxyJump defines a bastion host (jump host, jump server, jump box) to use.
Values
Value | Meaning |
---|---|
none | Disable ProxyJump functionality |
HOST | Define the hostname of the bastion host |
[USER]HOST[:PORT] | Define one or more parameters of the bastion host |
URI | Define parameters in URI format |
Hostname
Format: hostname
SSH ForwardAgent option
Learn about the ForwardAgent option, available values, the security risks, and how to configure it.
Summary
The ForwardAgent option specifies if SSH agent forwarding is allowed or not.
ForwardAgent values
Value | Meaning |
---|---|
Yes | Agent forwarding is allowed |
No (default) | Agent forwarding is not allowed |
PATH | Path to the agent socket |
$VARIABLE | Environment variable that stores the path |
Security caution
Agent forwarding should not be used if not strictly needed. Any user that can access the agent’s socket stored in SSH_AUTH_SOCK may have access through the forwarded connection. While key material may not be accessible, the keys can still be used to authenticate to any of the identities that are active in the SSH agent.
SSH IdentityAgent option
Learn about the IdentityAgent option, available values, and how to configure it.
Summary
The IdentityAgent option specifies what UNIX-domain socket to use to communicate with the authentication agent. When configured, it overrides the environment variable SSH_AUTH_SOCK and provides the option to select a specific agent.
Besides the option to define a socket, the location of the socket can also be provided by the SSH_AUTH_SOCK environment variable. In that case the value should defined as “SSH_AUTH_SOCK” (without quotes). If the value starts with a ‘$’, it indicates that another enviroment variable is to be used.
SSH client configuration
Linux systems are usually managed remotely with SSH. Learn how to configure and optimize the SSH client and improve its security.
Summary
Configuration files
- /etc/ssh/ssh_config
- ~/.ssh/config
Configuration settings
The client knows a lot of individual settings that may be configured in a configuration file or via the command-line.
IdentityAgent
Configure the socket to use for the SSH agent.
See IdentityAgent
Port
Defines the port to be used. By default, the SSH server is configured with port 22 (TCP).
ProxyJump
Defines a bastion host (jump host, jump server, jump box) to connect to the destination system.
SSH configuration files
Learn about the locations where SSH client settings are configured and what precedence they take.
Summary
For the SSH client there are typically two places where configuration files are stored: in the home directory of the user and a global configuration file.
User configuration
- Location: ~/.ssh/config
This file is stored in the home directory of an user. It is optional and by default no file is available.
System-wide configuration
- Location: /etc/ssh/ssh_config
- Overrides via: /etc/ssh/ssh_config.d/*.conf
The default settings are in the ssh_config file. The system administrator may add customizations to this file, but typically it is advised to override settings using a separate configuration file. This way settings are not being overwritten by accident when a new package is released.
SSH StrictHostKeyChecking option
Learn about the StrictHostKeyChecking option, available values, and how to configure it.
Summary
The SSH client won’t connect to a system when it sees that host key changed since the initial connection it made. This helps against MitM attacks. The client knows when the host key is different by comparing it with the related values in the ~/.ssh/known_hosts file.
Values
Value | Automatically save new host keys | Action if host key changed |
---|---|---|
yes | No | Refuse |
ask | No, ask | Refuse |
accept-new | Yes | Refuse |
no | off | Yes | Connect |
When connecting to many different systems, the accept-new value can help reducing the manual step to accept keys.
SSH PasswordAuthentication option
Learn about the PasswordAuthentication option, available values, and how to configure it.
Summary
One of the common methods to authenticate with a SSH server is using the combination of a username and password. With the option PasswordAuthentication we can define if we want to use this type of authentication. While yes is the default, it might be useful to disable it for hosts that require public key authentication. This way we instruct the client to only try that.
Change SSH server port number
Learn how to make changes to your SSH configuration to have it running on a different port than its default 22/TCP.
Summary
Why change your SSH port?
Systems that are available via the internet and can’t be fully protected with a firewall, they might benefit from running on a different TCP port than the default 22. This way automated scanners will less likely probe your system(s), as they don’t know what port you use for SSH.
Changing your SSH port won’t make a system more secure in itself, and therefore is often called security through obscurity. At the same, it may help in reducing noise in your logs, making it easier to monitor. This in itself slighly improves security, as system administrators typically start to ignore log files if they are flooded with authentication failures.
Configure a SSH welcome message or banner
Learn how to configure a welcome messages for users before or after logging in via SSH.
Summary
Configure a Message of the Day
The MOTD is typically stored in /etc/motd or a related directory, such as /etc/update-motd.d or /etc/motd.d/. The related message or messages are then displayed after a user is logged in.
Another option is that the MOTD is displayed using the PAM configuration. To see if this is the case, perform a grep in your PAM configuration directory.
grep -ir motd /etc/pam.d | grep -v ":#"
SSH escape sequences
Learn about the escape sequences that can be used with OpenSSH to initiate special commands.
Summary
Escape sequences are a patterns of keys that are recognized to send special instructions.
To see the ones that are supported, press tilde (~) followed by a question mark (?).
Supported escape sequences:
~. - terminate connection (and any multiplexed sessions)
~B - send a BREAK to the remote system
~C - open a command line
~R - request rekey
~V/v - decrease/increase verbosity (LogLevel)
~^Z - suspend ssh
~# - list forwarded connections
~& - background ssh (when waiting for connections to terminate)
~? - this message
~~ - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)
Important: you may need to press enter first before sending the escape sequence.
SSH Configuration
The configuration settings and suggestions related to the SSH client and SSH server daemon.
Summary
The configuration of SSH happens on both the client and server side.
SSH
Articles, commands, and settings to configure the SSH server and client.
Summary
An important part of system administration is a secure connection to it. With SSH we can achieve this easily. At the same time, there is a lot more to this protocol and set of commands. In this section all articles and configuration are collected.
How to find the OpenSSH version
Searching for the installed version of OpenSSH? Here are some commands to discover what software you are running.
Summary
SSH or Secure Shell is a popular protocol for doing system administration on Linux systems. Sometimes you may need to know what version you are running to know if some specific configuration options are available. In this article we have a look at the available options.
Local OpenSSH version
The easiest way to find the installed OpenSSH version is using the ssh -V
command. This works when being logged in to the system itself.
Restrict SSH access to only allow rsync
Want to restrict SSH access to only allow rsync file synchronization? This article explains the steps and how to set it up.
Summary
Rsync is still one of the most popular tools to synchronize files between two systems. Although it has a few caveats when dealing with special files, it can do its job very well. In this explainer we will show how to use it in combination with SSH and at the same restrict SSH access to only allow the rsync job to run.
In this article we refer to system01 having the original files and it wants to send them to the receiving system (system02)
OpenSSH security and hardening
The SSH configuration influences the security of your Linux system. This guide helps you to secure your OpenSSH server and client configuration.
Summary
SSH or Secure Shell is the popular protocol for doing system administration on Linux systems. It runs on most systems, often with its default configuration. As this service opens up a potential gateway into the system, it is one of the steps to hardening a Linux system. This article covers the SSH security tips to secure the OpenSSH service and increase the defenses of the system.
OpenSSH security
OpenSSH is under development by the security fanatics from the OpenBSD project. Every new piece of functionality is created with care, especially when it comes to security. Although there were some vulnerabilities, OpenSSH is fairly secure by default. There are still some steps left that can be improved. During research for the security auditing tool Lynis, we looked also at the available OpenSSH settings. Besides the tests that are now in Lynis, this article is one of the other results of that research.
Using Ed25519 for OpenSSH keys (instead of DSA/RSA/ECDSA)
Many years the default for SSH keys was DSA or RSA. There is a new kid on the block, with the fancy name Ed25519. Let's have a look at this new key type.
Summary
Learn how to use Ed25519 keys instead of the older types
Using SSH keys instead of passwords
Linux systems are usually managed remotely with SSH, often still using passwords. Time to switch over to SSH keys and here is how to do that.
Summary
Linux systems are usually managed remotely with SSH (secure shell). Still many administrators are using passwords, instead of keys. Keys not only boost security, it also makes managing systems much easier. Instead of entering your password for each server, you only have to do it once per session. When managing several systems per day, you will be wondering why you ever used password based authentication before.
Generating the SSH key
Depending on your desktop platform, we first have to create a key pair. This will consist of a public and private key, which are both needed to work. The private key is private and should remain private. While not mandatory, it is very wise to protect it with a password. The public key will be configured on the remote system. This key is not secret at all, therefore it can safely stored on another machine, or even shared with others. Since people still make the mistake of sharing the private key, reassure yourself what key you are sharing at any given time.
SSH server configuration
Linux systems are usually managed remotely with SSH. Learn how to configure the SSH server daemon and improve its security.
Summary
SSH daemon
The OpenSSH daemon is named sshd and typically this is also the process visible in a process listing. The main listener usually has a full path visible, while active SSH sessions get their own child process.
Configuration files
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d/*.conf
The configuration file sshd_config is the primary file for the settings. Any settings in a configuration file specified in /etc/ssh/sshd_config.d will overwrite those listed in the primary configuration file.