Ssh

SSH ProxyJump option

Learn about the SSH client option ProxyJump, that allows using a bastion host or jump server to connect to other systems.

Summary

The ProxyJump defines a bastion host (jump host, jump server, jump box) to use. Values Value Meaning none Disable ProxyJump functionality HOST Define the hostname of the bastion host [USER]HOST[:PORT] Define one or more parameters of the bastion host URI Define parameters in URI format Hostname Format: hostname User Format: user@hostname Port Format: hostname:port Command-line usage ssh -J bastion destinationsystem These parameters can also be specified in the format as a URI .

SSH ForwardAgent option

Learn about the ForwardAgent option, available values, the security risks, and how to configure it.

Summary

The ForwardAgent option specifies if SSH agent forwarding is allowed or not. ForwardAgent values Value Meaning Yes Agent forwarding is allowed No (default) Agent forwarding is not allowed PATH Path to the agent socket $VARIABLE Environment variable that stores the path Security caution Agent forwarding should not be used if not strictly needed. Any user that can access the agent’s socket stored in SSH_AUTH_SOCK may have access through the forwarded connection.

What is SSH agent forwarding?

Learn more about the SSH agent forwarding feature and what problems it tries to resolve.

Summary

The agent forwarding feature in SSH allows using your local SSH agent to be reached through an existing SSH connection. This way you don’t have to store copies of your private keys on intermediate systems to use them for authentication. While SSH agent forward simplifies things, it also introduces a new risk related to Unix domain socket. If a user on the intermediate system can access the related socket, then it may abuse this connection back to the SSH agent to authenticate on your behalf.

How to start the SSH agent?

When the SSH agent is not running, how can you start it? In this article we will have a look at the options.

Summary

The ssh-agent command is started manually using eval $(ssh-agent). This will initiate the SSH agent and make it available for clients, such as ssh, to use it. To confirm that the agent is running is by looking at the SSH_AUTH_SOCK environment variable. Automatic start of SSH agent Gnome Keyring SSH Agent When using Gnome, it typically comes with its SSH agent as part of Keyring. This will automatically load any files in ~/.

What is the purpose of the SSH agent?

What is the purpose of the SSH agent and when to use it?

Summary

The ssh-agent command starts the SSH agent, a helper utility to store private keys when using public key authentication. The ssh-agent process is usually started at the the beginning of a login session and then can be connected to by a SSH client. Clients can detect the environment variable named SSH_AUTH_SOCK. Related settings on the client IdentityAgent

How to disable the usage of the SSH agent

Learn how to disable the usage of the SSH agent when authenticating.

Summary

Disable usage of SSH agent identities

SSH IdentityAgent option

Learn about the IdentityAgent option, available values, and how to configure it.

Summary

The IdentityAgent option specifies what UNIX-domain socket to use to communicate with the authentication agent. When configured, it overrides the environment variable SSH_AUTH_SOCK and provides the option to select a specific agent. Besides the option to define a socket, the location of the socket can also be provided by the SSH_AUTH_SOCK environment variable. In that case the value should defined as “SSH_AUTH_SOCK” (without quotes). If the value starts with a ‘$’, it indicates that another enviroment variable is to be used.

/etc/ssh/ssh_config

The configuration file /etc/ssh/ssh_config contains settings related to the OpenSSH client. Learn more about this file its configuration.

Summary

The file /etc/ssh/ssh_config is the main configuration file of the OpenSSH server daemon (sshd). Purpose It defines the system-wide settings for the SSH client. It can be overriden by storing settings in ~/.ssh/config that takes precedence. Configuration To learn more about the available configuration settings, have a look at the section OpenSSH client configuration.

SSH client configuration

Linux systems are usually managed remotely with SSH. Learn how to configure and optimize the SSH client and improve its security.

Summary

Configuration files /etc/ssh/ssh_config ~/.ssh/config Configuration settings The client knows a lot of individual settings that may be configured in a configuration file or via the command-line. IdentityAgent Configure the socket to use for the SSH agent. See IdentityAgent Port Defines the port to be used. By default, the SSH server is configured with port 22 (TCP). ProxyJump Defines a bastion host (jump host, jump server, jump box) to connect to the destination system.

SSH configuration files

Learn about the locations where SSH client settings are configured and what precedence they take.

Summary

For the SSH client there are typically two places where configuration files are stored: in the home directory of the user and a global configuration file. User configuration Location: ~/.ssh/config This file is stored in the home directory of an user. It is optional and by default no file is available. System-wide configuration Location: /etc/ssh/ssh_config Overrides via: /etc/ssh/ssh_config.d/*.conf The default settings are in the ssh_config file. The system administrator may add customizations to this file, but typically it is advised to override settings using a separate configuration file.

SSH StrictHostKeyChecking option

Learn about the StrictHostKeyChecking option, available values, and how to configure it.

Summary

The SSH client won’t connect to a system when it sees that host key changed since the initial connection it made. This helps against MitM attacks. The client knows when the host key is different by comparing it with the related values in the ~/.ssh/known_hosts file. Values Value Automatically save new host keys Action if host key changed yes No Refuse ask No, ask Refuse accept-new Yes Refuse no | off Yes Connect When connecting to many different systems, the accept-new value can help reducing the manual step to accept keys.

SSH PasswordAuthentication option

Learn about the PasswordAuthentication option, available values, and how to configure it.

Summary

One of the common methods to authenticate with a SSH server is using the combination of a username and password. With the option PasswordAuthentication we can define if we want to use this type of authentication. While yes is the default, it might be useful to disable it for hosts that require public key authentication. This way we instruct the client to only try that.

How to disable the SSH host key check?

Learn how to disable the SSH check of host authenticity and key fingerprint with ssh option StrictHostKeyChecking.

Summary

Disable check for host authenticity

Change SSH server port number

Learn how to make changes to your SSH configuration to have it running on a different port than its default 22/TCP.

Summary

Why change your SSH port? Systems that are available via the internet and can’t be fully protected with a firewall, they might benefit from running on a different TCP port than the default 22. This way automated scanners will less likely probe your system(s), as they don’t know what port you use for SSH. Changing your SSH port won’t make a system more secure in itself, and therefore is often called security through obscurity.

Configure a SSH welcome message or banner

Learn how to configure a welcome messages for users before or after logging in via SSH.

Summary

Configure a Message of the Day The MOTD is typically stored in /etc/motd or a related directory, such as /etc/update-motd.d or /etc/motd.d/. The related message or messages are then displayed after a user is logged in. Another option is that the MOTD is displayed using the PAM configuration. To see if this is the case, perform a grep in your PAM configuration directory. grep -ir motd /etc/pam.d | grep -v ":#"

SSH escape sequences

Learn about the escape sequences that can be used with OpenSSH to initiate special commands.

Summary

Escape sequences are a patterns of keys that are recognized to send special instructions. To see the ones that are supported, press tilde (~) followed by a question mark (?). Supported escape sequences: ~. - terminate connection (and any multiplexed sessions) ~B - send a BREAK to the remote system ~C - open a command line ~R - request rekey ~V/v - decrease/increase verbosity (LogLevel) ~^Z - suspend ssh ~# - list forwarded connections ~& - background ssh (when waiting for connections to terminate) ~?

How to terminate a SSH connection that does not respond to CTRL+C

Learn about SSH escape sequences and how they can help with terminating a SSH connection that does not respond to CTRL+C.

Summary

Use an escape sequence to terminate a connection that is stuck

How to remove the passphrase from a SSH key

Remove the password or passphrase from a SSH key using the ssh-keygen command.

Summary

Remove a passphrase from existing SSH key

How to see the available SSH keys in the OpenSSH authentication agent

Show the available SSH keys that are loaded in the SSH authentication agent.

Summary

How to see the available SSH keys in the OpenSSH authentication agent

SSH: Frequently Asked Questions

Frequently asked questions about SSH, such as SSH keys, configuration, and usage.

Summary

/etc/ssh/sshd_config

The configuration file /etc/ssh/sshd_config contains settings related to the OpenSSH server daemon. Learn more about this file its configuration.

Summary

The file /etc/ssh/sshd_config is the main configuration file of the OpenSSH server daemon (sshd). Purpose It defines the primary set of settings, with the option of being overridden by configuration files from /etc/ssh/sshd_config.d/*.conf. Configuration To learn more about the available configuration settings, have a look at the section OpenSSH server configuration.

SSH Configuration

The configuration settings and suggestions related to the SSH client and SSH server daemon.

Summary

The configuration of SSH happens on both the client and server side.

SSH

Articles, commands, and settings to configure the SSH server and client.

Summary

An important part of system administration is a secure connection to it. With SSH we can achieve this easily. At the same time, there is a lot more to this protocol and set of commands. In this section all articles and configuration are collected.

How to find the OpenSSH version

Searching for the installed version of OpenSSH? Here are some commands to discover what software you are running.

Summary

SSH or Secure Shell is a popular protocol for doing system administration on Linux systems. Sometimes you may need to know what version you are running to know if some specific configuration options are available. In this article we have a look at the available options. Local OpenSSH version The easiest way to find the installed OpenSSH version is using the ssh -V command. This works when being logged in to the system itself.

Restrict SSH access to only allow rsync

Want to restrict SSH access to only allow rsync file synchronization? This article explains the steps and how to set it up.

Summary

Rsync is still one of the most popular tools to synchronize files between two systems. Although it has a few caveats when dealing with special files, it can do its job very well. In this explainer we will show how to use it in combination with SSH and at the same restrict SSH access to only allow the rsync job to run. In this article we refer to system01 having the original files and it wants to send them to the receiving system (system02)

OpenSSH security and hardening

The SSH configuration influences the security of your Linux system. This guide helps you to secure your OpenSSH server and client configuration.

Summary

SSH or Secure Shell is the popular protocol for doing system administration on Linux systems. It runs on most systems, often with its default configuration. As this service opens up a potential gateway into the system, it is one of the steps to hardening a Linux system. This article covers the SSH security tips to secure the OpenSSH service and increase the defenses of the system. OpenSSH security OpenSSH is under development by the security fanatics from the OpenBSD project.

Using Ed25519 for OpenSSH keys (instead of DSA/RSA/ECDSA)

Many years the default for SSH keys was DSA or RSA. There is a new kid on the block, with the fancy name Ed25519. Let's have a look at this new key type.

Summary

Learn how to use Ed25519 keys instead of the older types

The real purpose of login banners (on Linux)

We are used seeing login banners everywhere. What is the point of them, and why would they be useful? The answer is more surprising than you expected.

Summary

Login banners on Linux The first thing you might see when connecting to a Linux machine, is a login banner. Some systems use the default, others have put some serious work into it. Think of great forms of ASCII art, or a lot of impressive text. You might be surprised to learn the real reasons for having a banner in the first place. In this article we will discuss the purpose, and determine how we can improve the quality of our login banners.

Mosh, the SSH Alternative Option for System Administration

Learn about Mosh, an alternative for SSH. Let's dive into the reasons why it makes sense to learn about Mosh.

Summary

Mosh, or mobile shell, is the ideal tool for remote system administration. While SSH is great, Mosh beats it in several areas. Let’s dive into the reasons why it makes sense to learn about Mosh. Pros Session Resumption Remember the last time your connection was interrupted? It it frustrating and sometimes even leads to losing some of your work. The stable TCP connection is not always a blessing. Mosh comes to the rescue, especially for less stable connections.

Granting temporary access to your servers (using signed SSH keys)

SSH has the capabilities to give a colleague or vendor temporary access to your systems. Learn how to install and configure the related SSH settings.

Summary

In need of support from a colleague or vendor, but don’t want to give them permanent access? SSH has an option to allow temporary access! Next time you need to provide temporary access for an hour or day, use this great option. Configuration We have two machines for this purpose. One is a system running Arch Linux, the client system. The other one is a server, running Ubuntu Linux. For temporary support, we have created a functional account support on the Ubuntu server.

Distributing SSH keys: using ssh-copy-id, manually or automated

Learn how to get your SSH keys easier to another system using different available methods such as manually or a tool like ssh-copy-id

Summary

When you want to allow public key authentication, you have to first create a SSH keypair. Next step is then the distribution of the public key to the other systems. Let’s have a look at a few options, including using the ssh-copy-id utility. Option 1: Manually In the past, you had to log in manually to the new system and do things yourself. Especially if you created your key with a tool like PuTTYgen on Windows.

In-depth Linux Guide to Achieve PCI DSS Compliance and Certification

This is the technical Linux guide to achieve compliance with the PCI DSS standard. Become compliant, with Linux tips for configuration and auditing.

Summary

The standard itself is very detailed. Still, it sometimes unclear on what specifically to implement and when. This guide will help with translating the PCI standard to technical security controls on Linux systems. This document has the goal to help you further secure your network and pass the PCI DSS audit. It is important to note that this guide is a set of generic tips. Your IT environment might require additional security measures.

Using SSH keys instead of passwords

Linux systems are usually managed remotely with SSH, often still using passwords. Time to switch over to SSH keys and here is how to do that.

Summary

Linux systems are usually managed remotely with SSH (secure shell). Still many administrators are using passwords, instead of keys. Keys not only boost security, it also makes managing systems much easier. Instead of entering your password for each server, you only have to do it once per session. When managing several systems per day, you will be wondering why you ever used password based authentication before. Generating the SSH key Depending on your desktop platform, we first have to create a key pair.

SSH server configuration

Linux systems are usually managed remotely with SSH. Learn how to configure the SSH server daemon and improve its security.

Summary

SSH daemon The OpenSSH daemon is named sshd and typically this is also the process visible in a process listing. The main listener usually has a full path visible, while active SSH sessions get their own child process. Configuration files /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf The configuration file sshd_config is the primary file for the settings. Any settings in a configuration file specified in /etc/ssh/sshd_config.d will overwrite those listed in the primary configuration file.

Audit SSH configurations: HashKnownHosts option

Information about the HashKnownHosts option in the SSH configuration file. Explains how to audit and tune this option to secure an Unix based system.

Summary

How it works Each time the SSH client connects with a server, it will store a related signature (a key) of the server. This information is stored in a file names named known_hosts. The known_hosts file itself is available in the .ssh subdirectory of the related user (on the client). In the case the signature of the server changes, SSH will protect the user by notifying about this chance. Risk involved This configuration option is very useful, but also introduces a new risk.