Some configurations and good practices with SSH on the client and server.
Useful doc can be found in SSH Academy website.
SSH Client configs
These are the configurations done for clients.
SSH Key
SSH Key is an access credential, similar to a password, used in the SSH protocol.
1. Generating the key:
They can be generated on the client with the ssh-keygen command:
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/joachim/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/joachim/.ssh/id_rsa_test
Your public key has been saved in /home/joachim/.ssh/id_rsa_test.pub
The key fingerprint is:
SHA256:mb7jEJlwpb4CsQqMa/iwNzPdiUtmuTON/BFTl8UcSHA joachim@WS08210
The key's randomart image is:
+---[RSA 3072]----+
| ooE+o. |
| o ..oo |
| . . o . o |
|o o + + + |
|o.o B S |
|oo . . * |
|=. o*=+.. |
|.+=+Bo+o.. |
|...+o=..o. |
+----[SHA256]-----+
It is strongly advised to set a passphrase to the key (which is needed to use the private key, and therefore prevent that anyone that gets the key can use it without the passphrase). An SSH-Agent can then be used to avoid entering the passphrase multiple times during the same session (see next section).
2. Copying the key on the server:
For the key-based authentication to work, the server must have the publickey in the authorized_keys file of the user. There are two ways to add our public key to the file:
a. Use ssh-copy-id command:
# copying the key id_rsa.pub on the server
ssh-copy-id username@192.168.1.10
b. Manually append our public key to the /home/$USER/.ssh/authorized_keys:
cat ~/.ssh/id_rsa.pub | \
ssh username@192.168.1.10 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Now, when we connect to the server, the password is not asked.
SSH-Agent and Keychain
From the SSH Academy: An SSH-Agent is a helper program that keeps track of user’s identity keys and their passphrase. The agent can then use the keys to log into other servers without having the user type in a password or passphrase again. This implements a form of single sign-on (SSO).
Keychain is a manager for ssh-agent. It allows shells and cron jobs to share a signle ssh-agent process. By default, the ssh-agent started by keychain is long-running and will continue to run, even after you have logged out from the system. To change this behavior, the --clear option deletes all ssh-agent’s keys, and the --timeout option sets a timeout in minutes to the keys.
To start keychain at login of a user, add these lines in the ~/.bashrc (or ~/.zshrc):
# With the --clear option, the user must enter the key passphrase at each new login
/usr/bin/keychain --clear $HOME/.ssh/id_rsa
source $HOME/.keychain/$HOST-sh
Note: If using Powerlevel10k theme in zsh, these lines must be above the instant prompt.
Config file
The client configurations are done in the ~/.ssh/config file (see client config doc):
# Defining a jumphost
Host jumphost01
HostName 192.168.1.12
ProxyJump none
# Defining a host
Host raspberry
User pi # Another username than 'joachim' is used
HostName 192.168.1.36
# Defining a host passing through a jumphost
Host devhost
HostName 192.168.1.15
ProxyJump jumphost01 # using the jumphost to connect
# Every host not defining (overriding) the parameters bellow will have their value
Host *
User joachim
ForwardAgent yes
With this configuration, instead of doing:
$ ssh pi@192.168.1.36
We do:
$ ssh raspberry
Also, in this configuration, a jumphost has been configured. This means that when the command ssh devhost is done, an ssh connection is first done on jumphost01 host, which then connects on devhost. This can be useful if devhos only allows connections from a certain IP or subnet.
SSH Server configs
The server configurations are done in the /etc/ssh/sshd_config file (see server config doc). The code snippet bellow only lists some important configs and their meaning:
##################################### Base configs #####################################
# Print last Login
PrintLastLog yes
# Display the banner in the file before login
Banner /etc/ssh/banner
# Logging key fingerprint for any ssh key used
LogLevel VERBOSE
################################### Security configs ###################################
# Login as root not allowed
PermitRootLogin no
# Login to user with empty password not allowed
PermitEmptyPasswords no
### Jumphost useful features
# Allows to forward ssh-agent on the server, which is useful when a jumphost
# is used because the key passphrase only needs to be typed once.
AllowAgentForwarding yes
# Needed if a jumphost is used
AllowTcpForwarding yes
# Allowing or not to forward X11 (screen)
X11Forwarding no
# Disable non-relevant authentication methods
HostbasedAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
### Only allowing connections from specific addresses/subnets (this option can be used for better security)
### By default, the publickey and password authentication is disabled, but on a match, it is overriden
PubkeyAuthentication no
PasswordAuthentication no
Match Address 192.168.1.10 # This host can connect
PubkeyAuthentication yes
PasswordAuthentication yes
Match Address 192.168.2.* # Hosts on this subnet can connect
PubkeyAuthentication yes
PasswordAuthentication yes
# End previous match block
Match all