Secure Shell (SSH) Tips

In this article I explain how I configure and use OpenSSH, first on the client side and then some minor ideas used on the server side configuration.

First thing is how keys are generated, using the comment-field to keep track of where the key was generated and when.
While rsa type is still very much useful, the ed25519 type is supposedly a bit better.

ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date +%Y%m%d)"

Next is the actual client configuration file; ~/.ssh/config

Protocol 2
HashKnownHosts yes

Include ~/.ssh/config.local

Host *
 Compression no
 ForwardAgent no
 ForwardX11 no

In the above configuration, the two parameters Protocol and HashKnownHosts are strictly defined. Trying to change these later in the configuration will not work, and OpenSSH will ignore any attempt to change them.

Next is the Include statement, that pulls in a similar configuration file where all the Host entries are kept, each with their own specific configuration parameters.

And last, Host *, is a catch-all entry which sets some parameters for entries that hasn’t yet defined them. As set above, Compression, ForwardAgent and ForwardX11 are always disabled, unless specifically defined in a host entry.

The server configuration file for OpenSSH is in /etc/ssh/sshd_conf, and the principle about first defined value does not apply.

Before running off and editing the configuration file, take a moment to copy your SSH-key to the server. If you don’t, the suggested edits below will lock you out from the machine.

ssh-copy-id -i ~/.ssh/id_ed25519

Usually there are two things always configure on each server; restricting authentication to public key authentication and explicitly white-list users that can connect to the host.

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
AllowUsers ap4087

The example above will only allow the user ap4087 to connect to the server, and authentication can only be done using public/private key pair.

That is it. Now there are a ton of other parameters that can be set to increase the security of your server, but there are much better resources out there made by experts on the subject.