Abertay Ethical Hacking Society
  • Home
  • Information
    • Constitution
    • Change Logs
      • Website
      • Discord
      • Github
      • Server
    • Meetings
      • 2021-2022
    • Honourary Members
  • Contributing
    • Contributions
      • Using Git
      • Formatting and Best Practise
  • Society Events
    • Securi-Tay
      • History
  • Help Guides
    • Programming / Scripting
      • AWK
      • Bash Scripting
      • C Coding
      • Java Coding
      • LaTeX
      • Markdown
      • Project Ideas
      • Python Scripting
      • Tools
    • Software
      • Operating Systems
        • Installing Arch
        • Installing Kali
        • Linux Commands for Beginners
        • MacOS
      • Tools
        • PGP
          • A guide to using PGP on Android
          • A guide to using PGP on macOS
          • PGP
        • Radare2
        • Nmap
        • Regular Expressions
        • The Browser Exploitation Framework (BeEF)
        • Vim
        • Vimium
        • Zsh
    • Networking
      • Domain Name System (DNS)
      • Remote access to your Abertay network drive
      • Secure Shell (SSH)
      • TLS 1.3
      • Wireshark
      • Subnetting
    • Techniques
      • A guide to creating malicious macro-enabled Excel worksheets
      • Open Source Intelligence (OSINT)
      • Google-Fu
    • Jobs
      • Common Interview Questions
    • Home Lab
      • PiHole
  • Glossary
    • Infosec Terms
    • Computing Terms
    • Hardware Terms
    • General Terms
    • Development Terms
    • Networking Terms
  • Members
    • Profiles
      • AG
      • Isaac
      • Sam
  • Other
    • Other
      • Data Dumps
      • Meetups
      • Meltdown & Spectre
      • Movies
      • Project topic suggestions
      • Recommended Reading
Powered by GitBook
On this page
  • Secure Shell (SSH)
  • Guides
  • Articles
  • Tools
  • Mobile
  • iOS
  • Examples
  • Generate Keys
  • Remove Hashed known_hosts Entry
  • Configuration
  • Key Types
  • Client
  • Server

Was this helpful?

  1. Help Guides
  2. Networking

Secure Shell (SSH)

PreviousRemote access to your Abertay network driveNextTLS 1.3

Last updated 3 years ago

Was this helpful?

Secure Shell (SSH)

Guides

  • - Mozilla

  • -

  • - CentOS Wiki

Articles

  • - (Latacora Blog)

  • -

  • - Marlon Dutra

Tools

  • “configuration and policy scanner” (Mozilla)

  • Generate and store SSH keys in the Mac Secure Enclave (ecdsa-sha2-nistp256 keys)

Mobile

iOS

Examples

Generate Keys

The ssh-keygen utility is used to create new SSH keys on most *nix systems.

ED25519

ssh-keygen -t ed25519 -a 100

  • -t: Type of key to generate

  • -a: Number of Key Derivation Function (KDF) rounds

Remove Hashed known_hosts Entry

If your client is set to hash known hosts e.g. has the following line in ~/.ssh/config

HashKnownHosts yes

Then your ~/.ssh/known_hosts file will be obfuscated.

To remove a host, when its hosts key changes, you'll need to execute:

ssh-keygen -R example.com

Which will remove all keys associated with that hostname from ~/.ssh/known_hosts.

Configuration

Key Types

Key types are listed in the order of preference below:

  • ED25519

  • >= 2048bit RSA

  • ECDSA

    • Never use DSA keys

    • Avoid ECDSA keys if you can

Client

Permissions

Only allow your user to access ~/.ssh and your private keys, allow group and world to access your public keys.

chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_*
chmod 644 ~/.ssh/id_*.pub

config

  # ~/.shh/config 
  # ssh_config(5) 

  Host * 
  # For all hosts use the following directives 

  Protocol 2 
  # Use only protocol version two 

  IdentitiesOnly yes 
  # By default ssh will send all public keys (identities) in ~/.ssh to the server if you don't specify which key to use with -i 
  # This prevents that by only using the public keys explicitly configured in config or specified with -i 

  VisualHostKey yes 
  # Print an ASCII art representation of the remote host key fingerprint at login and for unknown host keys 

  HashKnownHosts yes 
  # Hash host names and addresses when they are added to ~/.ssh/known_hosts. 
  # ssh-keygen -R hostname 
  # Removes all keys belonging to hostname from a known_hosts file. 
  UseRoaming no 
  # Mitigates CVE-0216-0777 

  # Cryptography 

  KexAlgorithms curve25519-sha256
  # Allow only curve25519
  
  HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256
  # Allow ed25519, ECDSA and RSA SHA2 keys for client authentication
  # ed25519 is the preferred key type
  # ECDSA for Secretive/ Secure Enclave keys
  # rsa-sha2-* for compatibility

  Ciphers chacha20-poly1305@openssh.com
  # Only use chacha20-poly1305
  # Chacha20-poly1305 is preferred over AES-GCM because the SSH protocol does 
  #   not encrypt message sizes when GCM (or EtM) is in use. 
  #   This allows some traffic analysis even without decrypting the data.
  #   See: http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html

  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
  # Only use encrypt then mac (etm) MACs
  # Allow only HMAC-SHA2-512/256 or UMAC-128
  #   https://crypto.stackexchange.com/a/56432

Server

Permissions

Only allow your user to access ~/.ssh and ~/.ssh/authorized_keys.

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

sshd_config

# /etc/ssh/sshd_config 
# sshd_config(5) 

AddressFamily inet 
# Only use IPv4 

ListenAddress x.x.x.x 
# Default is to listen on all local addresses 
# Better to specify an actual IP address to listen on 

Protocol 2 
# Only use protocol version 2 

LogLevel VERBOSE 
# Logs user's key fingerprint on login 

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_rsa_key
# Key files cannot be group/world-accessible 

PermitRootLogin no 
# root user cannot login via SSH 

AuthenticationMethods publickey 
# Only allow public key authentication for login 

Subsystem sftp internal-sftp 
# Use sshd internal SFTP server code (plays nicer with Chroot) 
# See https://serverfault.com/a/660325 for differences with 
# Subsystem sftp /usr/libexec/openssh/sftp-server 
# If you just scp files you can disable this to reduce attack surface 

# Cryptography 

KexAlgorithms curve25519-sha256
# Allow only curve25519

HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256
# Allow ed25519, ECDSA and RSA SHA2 keys for client authentication
# ECDSA for Secretive/ Secure Enclave keys
# ed25519 is the preferred key type
# rsa-sha2-* for compatibility

Ciphers chacha20-poly1305@openssh.com
# Only use chacha20-poly1305
# Chacha20-poly1305 is preferred over AES-GCM because the SSH protocol does 
#   not encrypt message sizes when GCM (or EtM) is in use. 
#   This allows some traffic analysis even without decrypting the data.
#   See: http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
# Only use encrypt then mac (etm) MACs
# Allow only HMAC-SHA2-512/256 or UMAC-128
#   https://crypto.stackexchange.com/a/56432

Debugging sshd Issues

sudo sshd -t
# Test mode. Only check the validity of the configuration file and sanity of the keys.
sudo systemctl restart sshd
# On systemd based systems restart the sshd service
sudo systemctl status sshd
# On systemd based systems print the status of the sshd service

If you use SSH on the go often you'll want to look at using

(Free)

(£12.99)

(£17.99)

DSA and ECDSA both .

These permissions are required by the directive.

OpenSSH Manual Pages
OpenSSH Guidelines
Secure Secure Shell
stribika
Securing SSH
The default OpenSSH key encryption is worse than plaintext
lvh
ChaCha20 and Poly1305 in OpenSSH
Damien Miller
How Facebook does SSH at scale
ssh_scan
Secretive
Mosh
Termius
App Store
Prompt 2
App Store
Blink Shell
App Store
fail catastrophically on bad randomness
StrictModes