Ssh

Audit SSH configurations: HashKnownHosts option

Information about the HashKnownHosts option in the SSH configuration file. Explains how to audit and tune this option to secure an Unix based system.

Summary of Audit SSH configurations: HashKnownHosts option

How it works Each time the SSH client connects with a server, it will store a related signature (a key) of the server. This information is stored in a file names named known_hosts. The known_hosts file itself is available in the .ssh subdirectory of the related user (on the client). In the case the signature of the server changes, SSH will protect the user by notifying about this chance. Risk involved This configuration option is very useful, but also introduces a new risk.

Read the full article…

Distributing SSH keys: using ssh-copy-id, manually or automated

Learn how to get your SSH keys easier to another system using different available methods such as manually or a tool like ssh-copy-id

Summary of Distributing SSH keys: using ssh-copy-id, manually or automated

When you want to allow public key authentication, you have to first create a SSH keypair. Next step is then the distribution of the public key to the other systems. Let’s have a look at a few options, including using the ssh-copy-id utility. Option 1: Manually In the past, you had to log in manually to the new system and do things yourself. Especially if you created your key with a tool like PuTTYgen on Windows.

Read the full article…

Granting temporary access to your servers (using signed SSH keys)

SSH has the capabilities to give a colleague or vendor temporary access to your systems. Learn how to install and configure the related SSH settings.

Summary of Granting temporary access to your servers (using signed SSH keys)

In need of support from a colleague or vendor, but don’t want to give them permanent access? SSH has an option to allow temporary access! Next time you need to provide temporary access for an hour or day, use this great option. Configuration We have two machines for this purpose. One is a system running Arch Linux, the client system. The other one is a server, running Ubuntu Linux. For temporary support, we have created a functional account support on the Ubuntu server.

Read the full article…

How to find the OpenSSH version

Searching for the installed version of OpenSSH? Here are some commands to discover what software you are running.

Summary of How to find the OpenSSH version

SSH or Secure Shell is a popular protocol for doing system administration on Linux systems. Sometimes you may need to know what version you are running to know if some specific configuration options are available. In this article we have a look at the available options. Local OpenSSH version The easiest way to find the installed OpenSSH version is using the ssh -V command. This works when being logged in to the system itself.

Read the full article…

In-depth Linux Guide to Achieve PCI DSS Compliance and Certification

This is the technical Linux guide you need to achieve compliance with the PCI DSS standard. Become compliant and maintaining it, with Linux tips for configuration and auditing.

Summary of In-depth Linux Guide to Achieve PCI DSS Compliance and Certification

If you work for a company which accepts, processes, or stores credit card details, you might be familiar with the PCI Data Security Standard (DSS). The standard itself is very detailed. Still, it sometimes unclear on what specifically to implement and when. This guide will help with translating the PCI standard to technical security controls on Linux systems. This document has the goal to help you further secure your network and pass the PCI DSS audit.

Read the full article…

Mosh, the SSH Alternative Option for System Administration

Learn about Mosh, an alternative for SSH. Let's dive into the reasons why it makes sense to learn about Mosh.

Summary of Mosh, the SSH Alternative Option for System Administration

Mosh, or mobile shell, is the ideal tool for remote system administration. While SSH is great, Mosh beats it in several areas. Let’s dive into the reasons why it makes sense to learn about Mosh. Pros Session Resumption Remember the last time your connection was interrupted? It it frustrating and sometimes even leads to losing some of your work. The stable TCP connection is not always a blessing. Mosh comes to the rescue, especially for less stable connections.

Read the full article…

OpenSSH security and hardening

The SSH configuration influences the security of your Linux system. This guide helps you to secure your OpenSSH server and client configuration.

Summary of OpenSSH security and hardening

SSH or Secure Shell is the popular protocol for doing system administration on Linux systems. It runs on most systems, often with its default configuration. As this service opens up a potential gateway into the system, it is one of the steps to hardening a Linux system. This article covers the SSH security tips to secure the OpenSSH service and increase the defenses of the system. OpenSSH security OpenSSH is under development by the security fanatics from the OpenBSD project.

Read the full article…

Restrict SSH access to only allow rsync

Want to restrict SSH access to only allow rsync file synchronization? This article explains the steps and how to set it up.

Summary of Restrict SSH access to only allow rsync

Rsync is still one of the most popular tools to synchronize files between two systems. Although it has a few caveats when dealing with special files, it can do its job very well. In this explainer we will show how to use it in combination with SSH and at the same restrict SSH access to only allow the rsync job to run. In this article we refer to system01 having the original files and it wants to send them to the receiving system (system02)

Read the full article…

The real purpose of login banners (on Linux)

We are used seeing login banners everywhere. What is the point of them, and why would they be useful? The answer is more surprising than you expected.

Summary of The real purpose of login banners (on Linux)

Login banners on Linux The first thing you might see when connecting to a Linux machine, is a login banner. Some systems use the default, others have put some serious work into it. Think of great forms of ASCII art, or a lot of impressive text. You might be surprised to learn the real reasons for having a banner in the first place. In this article we will discuss the purpose, and determine how we can improve the quality of our login banners.

Read the full article…

Using Ed25519 for OpenSSH keys (instead of DSA/RSA/ECDSA)

Many years the default for SSH keys was DSA or RSA. There is a new kid on the block, with the fancy name Ed25519. Let's have a look at this new key type.

Summary of Using Ed25519 for OpenSSH keys (instead of DSA/RSA/ECDSA)

Introduction into Ed25519 OpenSSH 6.5 added support for Ed25519 as a public key type. It is using an elliptic curve signature scheme, which offers better security than ECDSA and DSA. At the same time, it also has good performance. This type of keys may be used for user and host keys. With this in mind, it is great to be used together with OpenSSH. In this article, we have a look at this new key type.

Read the full article…

Using SSH keys instead of passwords

Linux systems are usually managed remotely with SSH, with many system administrators still using passwords. Time to switch over to SSH keys and here is how to do that.

Summary of Using SSH keys instead of passwords

Linux systems are usually managed remotely with SSH (secure shell). Still many administrators are using passwords, instead of keys. Keys not only boost security, it also makes managing systems much easier. Instead of entering your password for each server, you only have to do it once per session. When managing several systems per day, you will be wondering why you ever used password based authentication before. Generating the SSH key Depending on your desktop platform, we first have to create a key pair.

Read the full article…