SSH Tips and Tricks

Stephen Warren and Sean Reifschneider

Security Recommendations

• I like SSH
• Reiterating much of what Stephen is talking about
• Disable SSH password authentication
  • Use public keys intstead
• Limit logins
  • AllowUser "jafo root"
  • Can also "AllowGroup sshusers" or similar.
  • That way adding a user account doesn't convey SSH access.
• PermitRootLogin without-password

More Security Recommendations

• Move SSH to another port
  • echo $[RANDOM%1024]
  • Change "Port" in /etc/ssh/sshd_config
  • Use ~/.ssh/config or /etc/ssh/config to make logging in easier
  • See also: Some people take all the fun out of SSH. (http://www.tummy.com/journals/entries/jafo_20041029_151145)
• Limiting connections via hashlimit:
  • iptables -I INPUT -m tcp -p tcp --dport 22 -m state --state NEW -j REJECT

  • iptables -I INPUT -m hashlimit -m tcp -p tcp --dport 22 \
          --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh \
          -m state --state NEW -j ACCEPT

  • See also: More SSH attack activity. (http://www.tummy.com/journals/entries/jafo_20050716_152920)

Authorized_keys and public key auth

• Makes having different passwords on every machine easy
• Do not put identities on unsecure machines
• Create ssh identities with ssh-keygen
• ssh-agent can mean not having to type passwords all the time
• "ssh-add -D" to drop passwords, say when screen saver kicks in
• On remote systems append your ~/.ssh/id_*.pub to ~/.ssh/authorized_keys
• Make sure your id_*.pub remains one line
• authorized_keys can include restrictions (see below)
• Agent forwarding can allow users on remote systems to connect elsewhere.
• Agent forwarding can allow you to copy to/access other systems without passwords
• Not typing passwords into possibly compromised remote systems is good
• Limit agent forwarding to only when you need to use it
  • ssh -A user@host

Limiting keys

• Prefit the key in ~/.ssh/authorized_keys with things like:
  • command="rsync --server /directory"
  • environment="INPUTRC=~/.inputrc-vi" (Requires PermitUserEnvironment)
  • from="10.9.8.7"
  • no-agent-forwarding
  • no-port-forwarding
  • no-X11-forwarding
• So, the authorized_keys line looks like:
  • no-port-forwarding,command="id" ssh-rsa AAAAB3Nz[...]

Automated SSH connections

• SSH identities without passwords
• Can be used by scripts, for example backup scripts
• Create identity with: ssh-keygen -t rsa -N '' -f backup-identity
  • Generates "backup-identity.pub" and "backup-identity".
  • Use "backup-identity.pub" in .ssh/authorized_keys as below.
  • Use "ssh -i backup-identity user@host" to make the connection.
• Useful for things like:
  • Backups
  • Limited, cron-based, SVN access
  • Pushing e-mail to a client when it connects
  • Loading data onto remote machines
• Limit as in previous slide

SSH config files

• ~/.ssh/config
• Based on system, do special things
• For example, use a different port
• Can have multiple matches
• Last match overrides settings from earlier matches

SSH Config Example

• Host hostname hostname.example.com 10.9.8.7
     HostKeyAlias hostname.example.com
     HostName hostname.example.com
     Port 86
  
  Host *.example.com
     Port 222
  
  Host *
     SendEnv INPUTRC
     ForwardAgent no
     ForwardX11 no
     KeepAlive yes
     HashKnownHosts no
     GSSAPIAuthentication no

• SendEnv requires "AcceptEnv" in remote host sshd_config.