Secure Shell (SSH) Tips
In this article I explain how I configure and use OpenSSH, first on the client side and then some minor ideas used on the server side configuration.
Client Configuration
First thing is how keys are generated, using the comment-field to keep track of
where the key was generated and when.
While rsa type is still very much useful, the ed25519 type is supposedly a
bit better.
ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)-$(date +%Y%m%d)"
Next is the actual client configuration file; ~/.ssh/config
Protocol 2
HashKnownHosts yes
Include ~/.ssh/config.local
Host *
Compression no
ForwardAgent no
ForwardX11 no
In the above configuration, the two parameters Protocol and HashKnownHosts
are strictly defined. Trying to change these later in the configuration will
not work, and OpenSSH will ignore any attempt to change them.
Next is the Include statement, that pulls in a similar configuration file
where all the Host entries are kept, each with their own specific
configuration parameters.
And last, Host *, is a catch-all entry which sets some parameters for entries
that hasn’t yet defined them. As set above, Compression, ForwardAgent and
ForwardX11 are always disabled, unless specifically defined in a host entry.
Server Configuration
The server configuration file for OpenSSH is in /etc/ssh/sshd_conf, and the
principle about first defined value does not apply.
Before running off and editing the configuration file, take a moment to copy your SSH-key to the server. If you don’t, the suggested edits below will lock you out from the machine.
ssh-copy-id -i ~/.ssh/id_ed25519 username@example.org
Usually there are two things always configure on each server; restricting authentication to public key authentication and explicitly white-list users that can connect to the host.
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
AllowUsers ap4087
The example above will only allow the user ap4087 to connect to the server,
and authentication can only be done using public/private key pair.
That is it. Now there are a ton of other parameters that can be set to increase the security of your server, but there are much better resources out there made by experts on the subject.