ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Securing SSH

    IT Discussion
    ssh ssh keys security
    11
    60
    5.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DustinB3403 @black3dynamite
      last edited by

      @black3dynamite said in Securing SSH:

      @DustinB3403 said in Securing SSH:

      @pmoncho said in Securing SSH:

      @black3dynamite said in Securing SSH:

      On my Fedora laptop and desktop this is what I do.

      # Generating a new ED25519 key with a password
      ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519
      

      May be a stupid question but, should we use passwords?

      You can, but you'd have to enter that password every time to connect using your SSH key.

      Unless use ssh-agent.

      How is ssh-agent storing your keypair password? It would have to be plain-text, wouldn't it? Which kind of defeats the point of adding a password to the keypair if the password for the pair is in plain-text. . .

      B 1 Reply Last reply Reply Quote 0
      • B
        black3dynamite @DustinB3403
        last edited by

        @DustinB3403 said in Securing SSH:

        @black3dynamite said in Securing SSH:

        @DustinB3403 said in Securing SSH:

        @pmoncho said in Securing SSH:

        @black3dynamite said in Securing SSH:

        On my Fedora laptop and desktop this is what I do.

        # Generating a new ED25519 key with a password
        ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519
        

        May be a stupid question but, should we use passwords?

        You can, but you'd have to enter that password every time to connect using your SSH key.

        Unless use ssh-agent.

        How is ssh-agent storing your keypair password? It would have to be plain-text, wouldn't it? Which kind of defeats the point of adding a password to the keypair if the password for the pair is in plain-text. . .

        It's not stored in plain-text.

        https://www.emtec.com/ssh/agent.html
        c13e81b6-b25e-4ecb-9fee-94fb1ed55391-image.png

        P 1 Reply Last reply Reply Quote 2
        • P
          pmoncho @black3dynamite
          last edited by

          @black3dynamite said in Securing SSH:

          @DustinB3403 said in Securing SSH:

          @black3dynamite said in Securing SSH:

          @DustinB3403 said in Securing SSH:

          @pmoncho said in Securing SSH:

          @black3dynamite said in Securing SSH:

          On my Fedora laptop and desktop this is what I do.

          # Generating a new ED25519 key with a password
          ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)_$(date +%Y-%m-%d_%H:%M:%S%z)" -f ~/.ssh/id_ed25519
          

          May be a stupid question but, should we use passwords?

          You can, but you'd have to enter that password every time to connect using your SSH key.

          Unless use ssh-agent.

          How is ssh-agent storing your keypair password? It would have to be plain-text, wouldn't it? Which kind of defeats the point of adding a password to the keypair if the password for the pair is in plain-text. . .

          It's not stored in plain-text.

          https://www.emtec.com/ssh/agent.html
          c13e81b6-b25e-4ecb-9fee-94fb1ed55391-image.png

          Well damn. This is interesting to know. If that is the case, it just may be beneficial to use a passphrase if only done once per 8 hours. I can handle that.

          1 Reply Last reply Reply Quote 3
          • H
            hobbit666
            last edited by

            Silly question, i think i know the answer but checking 🙂
            If i'm using a windows machine logging in as a domain user - myname@domain.co.uk

            I want to use SSH key pairs to log into my Zabbix Server. This was setup (On linux CentOS8) with two users when installing "root" and "zabb02".

            Do i need a user called myname (or myname@domain.co.uk) on the zabbix server?

            Also guess i generate the key pair on my Windows machine and upload the pub side to the Server(s)

            D S 2 Replies Last reply Reply Quote 0
            • D
              Dashrender @hobbit666
              last edited by

              @hobbit666 said in Securing SSH:

              Silly question, i think i know the answer but checking 🙂
              If i'm using a windows machine logging in as a domain user - myname@domain.co.uk

              I want to use SSH key pairs to log into my Zabbix Server. This was setup (On linux CentOS8) with two users when installing "root" and "zabb02".

              Do i need a user called myname (or myname@domain.co.uk) on the zabbix server?

              Also guess i generate the key pair on my Windows machine and upload the pub side to the Server(s)

              I'm taking a stab here because it's been two hours with no reply.

              I'm going to say no, you don't I have several VMs that I SSH into all the time, and non of them have my domain account on them, yet the Windows machine I'm on is on an AD.

              You could try to setup pass-through authentication, but the whole keypair thing goes away (I think)... though you could try to setup kerberos authentication on your Zabbix box so you can login using AD creds.

              1 Reply Last reply Reply Quote 0
              • S
                scottalanmiller @hobbit666
                last edited by

                @hobbit666 said in Securing SSH:

                Do i need a user called myname (or myname@domain.co.uk) on the zabbix server?

                No, you use any name you want on Zabbix.

                J 1 Reply Last reply Reply Quote 0
                • J
                  JaredBusch @scottalanmiller
                  last edited by

                  @scottalanmiller said in Securing SSH:

                  @hobbit666 said in Securing SSH:

                  Do i need a user called myname (or myname@domain.co.uk) on the zabbix server?

                  No, you use any name you want on Zabbix.

                  More specifically, on your desktop get used to typing ssh user@ip.add.re.ss instead of just ssh ip.add.re.ss

                  Or create a command alias: https://docs.microsoft.com/en-us/windows/console/console-aliases

                  1 Reply Last reply Reply Quote 2
                  • H
                    hobbit666
                    last edited by

                    Updated 2nd post

                    1 Reply Last reply Reply Quote 0
                    • D
                      Dashrender @hobbit666
                      last edited by

                      @hobbit666 said in Securing SSH:

                      Steps I used to connect to my Zabbix Server (CentOS 😎 from Win10

                      created a folder c:\users<username>.ssh
                      in powershell ran this command

                       ssh-keygen -o -a 100 -t ed25519 -C "my@email.com Desktop"
                      

                      Typed on the password i wanted to use (you can run a different command to have a password less key - see below)
                      This generated two files in .ssh - id_ed25519 and id_ed25519.pub

                      still in powershell i ssh'd onto the zabbix server

                      ssh <user>@<ip>
                      

                      Once in ran the following commands

                      sudo mkdir ~/.ssh
                      sudo nano ~/.ssh/authorized_keys
                      

                      copy the contents of the .pub file on the windows machine

                      sudo chown YourUserName:YourUserName ~/.ssh -R
                      sudo chmod 700 ~/.ssh
                      sudo chmod 600 ~/.ssh/authorized_keys
                      

                      Then from powershell ssh <user>@<ip> and it just asked me for the key password and i'm in 😄

                      Updated - 28/02/2020

                      So all of the public keys go into that single authorized_keys file? or does each user on the remote system have their own authorized_keys file?

                      H J 2 Replies Last reply Reply Quote 0
                      • H
                        hobbit666 @Dashrender
                        last edited by hobbit666

                        @Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go 🙂
                        but my guess is in the same authorized_keys file on a separate line

                        J 1 Reply Last reply Reply Quote 0
                        • J
                          JaredBusch @Dashrender
                          last edited by

                          @Dashrender said in Securing SSH:

                          So all of the public keys go into that single authorized_keys file?

                          It is in the user directory. All of that user's keys are there.

                          But again, these are public keys.

                          D 1 Reply Last reply Reply Quote 0
                          • J
                            JaredBusch @hobbit666
                            last edited by JaredBusch

                            @hobbit666 said in Securing SSH:

                            @Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go 🙂
                            but my guess is in the same authorized_keys file on a separate line

                            This is your friend.

                            ssh-copy-id -i ~/.ssh/id_ed25519.pub user@ip
                            

                            if you only have a single public key you can simplify it to

                            ssh-copy-id user@ip
                            

                            I specify because my desktop has a few different generated keys.
                            3ff95aa0-de1f-4a83-b1c3-74c0919f78c8-image.png

                            H wirestyle22W 2 Replies Last reply Reply Quote 2
                            • D
                              Dashrender @JaredBusch
                              last edited by

                              @JaredBusch said in Securing SSH:

                              @Dashrender said in Securing SSH:

                              So all of the public keys go into that single authorized_keys file?

                              It is in the user directory. All of that user's keys are there.

                              But again, these are public keys.

                              Yeah, I wasn't worried about a security situation... but I'm guessing by making the keys part of the profile on the end controlled device, that is what sets what user is logged in via the key, since there is no username associated with the key itself.
                              Just talking this through to myself.

                              Thanks.

                              J 1 Reply Last reply Reply Quote 0
                              • J
                                JaredBusch @Dashrender
                                last edited by

                                @Dashrender said in Securing SSH:

                                @JaredBusch said in Securing SSH:

                                @Dashrender said in Securing SSH:

                                So all of the public keys go into that single authorized_keys file?

                                It is in the user directory. All of that user's keys are there.

                                But again, these are public keys.

                                Yeah, I wasn't worried about a security situation... but I'm guessing by making the keys part of the profile on the end controlled device, that is what sets what user is logged in via the key, since there is no username associated with the key itself.
                                Just talking this through to myself.

                                Thanks.

                                The username is specified at login. this has nothing to do with the key.

                                ssh user@ip
                                

                                you can easily use this key for root if you like to be unsecure.

                                ssh root@ip
                                
                                D 1 Reply Last reply Reply Quote 1
                                • H
                                  hobbit666 @JaredBusch
                                  last edited by

                                  @JaredBusch said in Securing SSH:

                                  This is your friend.

                                  ssh-copy-id -i ~/.ssh/id_ed25519.pub user@ip
                                  

                                  command not found in powershell 🙂 bu that's a windows problem.

                                  D 1 Reply Last reply Reply Quote 0
                                  • D
                                    DustinB3403 @hobbit666
                                    last edited by

                                    @hobbit666 said in Securing SSH:

                                    @JaredBusch said in Securing SSH:

                                    This is your friend.

                                    ssh-copy-id -i ~/.ssh/id_ed25519.pub user@ip
                                    

                                    command not found in powershell 🙂 bu that's a windows problem.

                                    That's because windows doesn't have an ssh-copy-id function. You're expected to know to manually copy the file into .ssh

                                    J 1 Reply Last reply Reply Quote 1
                                    • D
                                      Dashrender @JaredBusch
                                      last edited by

                                      @JaredBusch said in Securing SSH:

                                      @Dashrender said in Securing SSH:

                                      @JaredBusch said in Securing SSH:

                                      @Dashrender said in Securing SSH:

                                      So all of the public keys go into that single authorized_keys file?

                                      It is in the user directory. All of that user's keys are there.

                                      But again, these are public keys.

                                      Yeah, I wasn't worried about a security situation... but I'm guessing by making the keys part of the profile on the end controlled device, that is what sets what user is logged in via the key, since there is no username associated with the key itself.
                                      Just talking this through to myself.

                                      Thanks.

                                      The username is specified at login. this has nothing to do with the key.

                                      ssh user@ip
                                      

                                      you can easily use this key for root if you like to be unsecure.

                                      ssh root@ip
                                      

                                      Thanks, I stand corrected.

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        JaredBusch @DustinB3403
                                        last edited by

                                        @DustinB3403 said in Securing SSH:

                                        @hobbit666 said in Securing SSH:

                                        @JaredBusch said in Securing SSH:

                                        This is your friend.

                                        ssh-copy-id -i ~/.ssh/id_ed25519.pub user@ip
                                        

                                        command not found in powershell 🙂 bu that's a windows problem.

                                        That's because windows doesn't have an ssh-copy-id function. You're expected to know to manually copy the file into .ssh

                                        That's his problem for using a shitty OS, not mine.

                                        H 1 Reply Last reply Reply Quote 4
                                        • H
                                          hobbit666 @JaredBusch
                                          last edited by

                                          @JaredBusch :face_with_stuck-out_tongue_winking_eye: :face_with_stuck-out_tongue_winking_eye: :face_with_stuck-out_tongue_closed_eyes: :face_with_stuck-out_tongue_closed_eyes:
                                          I'll try moving to Fedora again at some point.

                                          1 Reply Last reply Reply Quote 1
                                          • H
                                            hobbit666
                                            last edited by

                                            So, I've done the keys and all is working with my Zabbix and Unifi servers. Not disabled password logins yet (apart from root).

                                            D 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 3 / 3
                                            • First post
                                              Last post