“Change is the only constant in life.”Heraclitus
Created by Marcus Rückert or just darix ;)
All options are just single line options. If you see something like this example, remove the backslash and the following newline.
# /etc/ssh/ssh_config || ~/.ssh/config
SomeOption somevalue, \
anothervalue
So we get:
# /etc/ssh/ssh_config || ~/.ssh/config
SomeOption somevalue,anothervalue
The comment on top of each config snippet notes which file the setting can go into. In the example it can go in either /etc/ssh/ssh_config
or ~/.ssh/config
.
For openSUSE VMs we use ssh forwarding with xinetd and have a lot of connections to non standard ports. This leads to:
ssh -p 1234 root@proxyhost.example.com
Especially annoying. scp
uses a different commandline argument:
scp -P 1234 somefile root@proxyhost.example.com:
# ~/.ssh/config
Host myvm
Port 1234
User root
Hostname proxyhost.example.com
ssh myvm
man ssh_config
It ignores the port, but the hostname alias works when using the ssh transport. You have to configure it in ansible again or patch ansible.
Things might not be state of the art anymore
We have to look at 3 things here:
We are left with 1 and 5. 1 is better and it’s perfectly OK to only support that but for interoperability (with Eclipse, WinSCP), 5 can be included.
# /etc/ssh/sshd_config
KexAlgorithms curve25519-sha256@libssh.org, \
diffie-hellman-group-exchange-sha256
# /etc/ssh/ssh_config || ~/.ssh/config
# Github needs diffie-hellman-group-exchange-sha1
# some of the time but not always.
#Host github.com
# KexAlgorithms curve25519-sha256@libssh.org, \
# diffie-hellman-group-exchange-sha256, \
# diffie-hellman-group-exchange-sha1, \
# diffie-hellman-group14-sha1
Host *
KexAlgorithms curve25519-sha256@libssh.org, \
diffie-hellman-group-exchange-sha256
Disable SSH1. Disable DSA. Enable ED25519. (If your server supports it)
# /etc/ssh/sshd_config
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# /etc/ssh/sshd_config
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
# /etc/ssh/ssh_config || ~/.ssh/config
Host *
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com, \
ssh-rsa-cert-v01@openssh.com, \
ssh-rsa-cert-v00@openssh.com, \
ssh-ed25519,ssh-rsa
# /etc/ssh/sshd_config
Ciphers chacha20-poly1305@openssh.com, \
aes256-gcm@openssh.com, \
aes128-gcm@openssh.com, \
aes256-ctr,aes192-ctr,aes128-ctr
# /etc/ssh/ssh_config || ~/.ssh/config
Host *
Ciphers chacha20-poly1305@openssh.com, \
aes256-gcm@openssh.com, \
aes128-gcm@openssh.com, \
aes256-ctr,aes192-ctr,aes128-ctr
# /etc/ssh/sshd_config
MACs hmac-sha2-512-etm@openssh.com, \
hmac-sha2-256-etm@openssh.com, \
hmac-ripemd160-etm@openssh.com, \
umac-128-etm@openssh.com, \
hmac-sha2-512,hmac-sha2-256, \
hmac-ripemd160,umac-128@openssh.com
# /etc/ssh/ssh_config || ~/.ssh/config
Host *
MACs hmac-sha2-512-etm@openssh.com, \
hmac-sha2-256-etm@openssh.com, \
hmac-ripemd160-etm@openssh.com, \
umac-128-etm@openssh.com, \
hmac-sha2-512,hmac-sha2-256, \
hmac-ripemd160,umac-128@openssh.com
# /etc/ssh/ssh_config || ~/.ssh/config
Host *
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-ed25519,ssh-rsa
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# workaround for bug
# Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
# /etc/ssh/ssh_config || ~/.ssh/config
Host *
KexAlgorithms diffie-hellman-group-exchange-sha256
HostKeyAlgorithms ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
# /etc/ssh/sshd_config
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
PubkeyAuthentication yes
PasswordAuthentication no
# reenable if you want to use OTP together with ssh keys
ChallengeResponseAuthentication no
# /etc/ssh/sshd_config
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
PubkeyAuthentication yes
PasswordAuthentication no
# reenable if you want to use OTP together with ssh keys
ChallengeResponseAuthentication no
ssh-keygen -t ed25519 -o -a 100
ssh-keygen -t rsa -b 4096 -o -a 100
"-o -a 100
" makes it harder to brute force the passphrase in case the key gets stolen. (openssh >= 6.5)
$ ssh -vv hostname
[snip]
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
[snip]
debug1: Server host key: ED25519 cf:c0:.... [MD5]
[snip]
Based on:
"OpenSSH certificates" by Thomas Habets
Requires at least openssh >= 5.5 or better >= 6.0
~/.ssh/known_hosts
ssh-keygen -R
.# ~/.ssh/known_hosts
@cert-authority *.example.com ssh-rsa AAAAB3[...]== Comment
Still a side channel - but only once for many hosts
darix@mylaptop:~ $ ssh unknownhost.example.com
darix@unknownhost:~ $
darix@mylaptop:~ $ ssh oldmachinenewkey.example.com
darix@oldmachinenewkey:~ $
ssh-keygen -f host_ca
cat host_ca.pub
ssh-keygen -s host_ca -I 'host:unknownhost.example.com' -h \
-n unknownhost.example.com -V +52w \
unknownhost.example.com_ssh_host_rsa_key.pub
scp unknownhost.example.com_ssh_host_rsa_key.pub \
root@unknownhost.example.com:/etc/ssh/ssh_host_rsa_key.pub
# /etc/ssh/sshd_config
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
Rinse, repeat for the other key types (DSA, ED25519)
Reload ssh server
ssh-keygen -f user_ca
scp user_ca.pub root@somehost.example.com:/etc/ssh/user_ca.pub
# /etc/ssh/sshd_config
TrustedUserCAKeys /etc/ssh/user_ca.pub
Reload ssh server
ssh-keygen -s user_ca -I user_darix \
-n darix,root -V +52w darix_id_rsa.pub
Rinse, repeat for the other key types (DSA, ED25519)
scp darix_id_*-cert.pub darix@mylaptop.example.com:.ssh/
ssh -i ~/.ssh/id_25519.pub somehost.example.com
sshd[10219]: Accepted publickey for darix from 1.2.3.4 port 39190 \
ssh2: ED25519 b4:3d:... [MD5]
ssh -i ~/.ssh/id_25519-cert.pub somehost.example.com
sshd[10241]: Accepted publickey for darix from 1.2.3.4 port 39194 \
ssh2: ED25519-CERT ID user_darix (serial 0) CA RSA 58:5a:... [MD5]
ssh -i ~/.ssh/id_25519-cert.pub nobody@somehost.example.com
sshd[6377]: error: Certificate invalid: name is not a listed principal
ssh-keygen -k -f /etc/ssh/revoke.crl darix_id_rsa.pub
ssh-keygen -ku -f /etc/ssh/revoke.crl darix_id_ed25519.pub
# /etc/ssh/sshd_config
RevokedKeys /etc/ssh/revoke.crl
ansible all -m copy \
-a 'src=/etc/ssh/revoke.crl dest=/etc/ssh/revoke.crl'
sshd[11462]: error: WARNING: authentication attempt with a revoked \
RSA key 99:41... [MD5]
sshd[11462]: error: WARNING: authentication attempt with a revoked \
RSA-CERT key 99:41... [MD5]
ssh-keygen -L -f id_25519-cert.pub