Securing SSH

hobbit666

@DustinB3403 I've already got the password on the keys. I've just not disabled password logins in case i kill something and need to get access :). Planning on removing it once i've "SSH Key's" the other servers.

DustinB3403

@hobbit666 said in Securing SSH:

@DustinB3403 I've already got the password on the keys. I've just not disabled password logins in case i kill something and need to get access :). Planning on removing it once i've "SSH Key's" the other servers.

Have you confirmed that key based login works? If so, then you login as user@ip and elevate to root. Disable root login period via ssh and only allow elevation.

pmoncho

@hobbit666 said in Securing SSH:

@DustinB3403 I've already got the password on the keys. I've just not disabled password logins in case i kill something and need to get access :). Planning on removing it once i've "SSH Key's" the other servers.

Don't forget, you can still login as root or a admin user on the console. You are only securing ssh.

If you want to test, login to the console of the server (stay logged in), change your sshd_config, restart sshd process, test logging in with your keys and/or any other testing you want to do. If all is well, log out of the console.

wirestyle22

@JaredBusch said in Securing SSH:

@hobbit666 said in Securing SSH:

@Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go
but my guess is in the same authorized_keys file on a separate line

This is your friend.

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@ip

if you only have a single public key you can simplify it to

ssh-copy-id user@ip

I specify because my desktop has a few different generated keys.

How does this fit into disaster recovery plans when you have many hundreds of ssh keys and a large IT team? If one person has 100 keys to various servers and their laptop dies, are you guys using a script to copy the keys per user? Also new user creation or deleting keys when someone leaves

JaredBusch

@wirestyle22 said in Securing SSH:

@JaredBusch said in Securing SSH:

@hobbit666 said in Securing SSH:

@Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go
but my guess is in the same authorized_keys file on a separate line

This is your friend.

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@ip

if you only have a single public key you can simplify it to

ssh-copy-id user@ip

I specify because my desktop has a few different generated keys.

How does this fit into disaster recovery plans when you have many hundreds of ssh keys and a large IT team? If one person has 100 keys to various servers and their laptop dies, are you guys using a script to copy the keys per user? Also new user creation or deleting keys when someone leaves

No one has 100 keys unless they have 100 desktops.

But yes. you can easily script this.

See:

@scottalanmiller said in Securing SSH:

Correct. We put our public keys into scripts to deploy and have them listed on a wiki, too. So that it is easy to add users to a system.

coliver

@wirestyle22 said in Securing SSH:

@JaredBusch said in Securing SSH:

@hobbit666 said in Securing SSH:

@Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go
but my guess is in the same authorized_keys file on a separate line

This is your friend.

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@ip

if you only have a single public key you can simplify it to

ssh-copy-id user@ip

I specify because my desktop has a few different generated keys.

How does this fit into disaster recovery plans when you have many hundreds of ssh keys and a large IT team? If one person has 100 keys to various servers and their laptop dies, are you guys using a script to copy the keys per user? Also new user creation or deleting keys when someone leaves

There is also a way to do a trusted key broker. So you have a single CA that verifies your identity.

stacksofplates

@coliver said in Securing SSH:

@wirestyle22 said in Securing SSH:

@JaredBusch said in Securing SSH:

@hobbit666 said in Securing SSH:

@Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go
but my guess is in the same authorized_keys file on a separate line

This is your friend.

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@ip

if you only have a single public key you can simplify it to

ssh-copy-id user@ip

I specify because my desktop has a few different generated keys.

How does this fit into disaster recovery plans when you have many hundreds of ssh keys and a large IT team? If one person has 100 keys to various servers and their laptop dies, are you guys using a script to copy the keys per user? Also new user creation or deleting keys when someone leaves

There is also a way to do a trusted key broker. So you have a single CA that verifies your identity.

Right there's a few ways to do this. Key management through LDAP, SSH certs with a CA, rotating credentials with something like Vault, etc.

IRJ

@stacksofplates said in Securing SSH:

@coliver said in Securing SSH:

@wirestyle22 said in Securing SSH:

@JaredBusch said in Securing SSH:

@hobbit666 said in Securing SSH:

@Dashrender To be honest that's my next step is now to make some keys for my laptop, and see how and where they go
but my guess is in the same authorized_keys file on a separate line

This is your friend.

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@ip

if you only have a single public key you can simplify it to

ssh-copy-id user@ip

I specify because my desktop has a few different generated keys.

How does this fit into disaster recovery plans when you have many hundreds of ssh keys and a large IT team? If one person has 100 keys to various servers and their laptop dies, are you guys using a script to copy the keys per user? Also new user creation or deleting keys when someone leaves

There is also a way to do a trusted key broker. So you have a single CA that verifies your identity.

Right there's a few ways to do this. Key management through LDAP, SSH certs with a CA, rotating credentials with something like Vault, etc.

You can do this something like Okta ASA as well.

https://help.okta.com/en/prod/Content/Topics/Adv_Server_Access/docs/asa-overview.htm

stacksofplates

Another really good option is not letting them log directly into the systems at all and forcing them to use a config management tool. So something like Tower or a Jenkins server that logs all of the commands run and has the permissions set there.

scottalanmiller

@stacksofplates said in Securing SSH:

Another really good option is not letting them log directly into the systems at all and forcing them to use a config management tool. So something like Tower or a Jenkins server that logs all of the commands run and has the permissions set there.

Right. Just like the best defense is a good offense (or vice versa?) The most secure port, is a closed port. Locking down SSH, no matter how good, isn't as good as completely closing it.

Or using config management to only open it when necessary, is an "in between" step, too.