Created
April 30, 2020 10:15
-
-
Save monbang/21b14e82cdc190076202ce1107765cbf to your computer and use it in GitHub Desktop.
SSH config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SSH | |
| Generate ssh keys | |
| Ed25519 is an EdDSA scheme with very small (fixed size) keys, | |
| introduced in OpenSSH 6.5, to check sshd version use sshd -V | |
| ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_personal_$(date +%Y-%m-%d) | |
| -C "Let's Play" -a 100 , | |
| for old severs ssh-keygen -t rsa -b 4096 -o -a 100 | |
| SSH key file transfer | |
| ssh-copy-id | |
| in /etc/ssh/sshd_config set PasswordAuthentication yes | |
| on client console ssh-copy-id -i ~/.ssh/id_file username@remote_host, | |
| enter the remote user password, this will add the public to server | |
| ~/.ssh/authorized_keys | |
| manual | |
| cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && | |
| touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> | |
| ~/.ssh/authorized_keys" | |
| Debian 10, OpenSSH (/etc/ssh/sshd_config) | |
| referrence https://infosec.mozilla.org/guidelines/openssh.html | |
| content_copy | |
| Port 7148 | |
| HostKey /etc/ssh/ssh_host_ed25519_key | |
| # Ciphers and keying | |
| KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 | |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | |
| # Ciphers and keying | |
| LoginGraceTime 1m | |
| PermitRootLogin no | |
| StrictModes yes | |
| MaxAuthTries 1 | |
| MaxSessions 1 | |
| IgnoreUserKnownHosts yes | |
| AuthenticationMethods publickey | |
| PasswordAuthentication no | |
| ChallengeResponseAuthentication no | |
| UsePAM no | |
| AllowAgentForwarding no | |
| AllowTcpForwarding no | |
| X11Forwarding no | |
| PermitTTY no | |
| PrintMotd no | |
| PrintLastLog no | |
| TCPKeepAlive yes | |
| ClientAliveInterval 15 | |
| ClientAliveCountMax 3 | |
| UsePrivilegeSeparation sandbox | |
| Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO | |
| Match User riju | |
| PermitTTY yes | |
| AllowUsers riju | |
| To deactivate short moduli in two commands: awk '$5 >= 3071' | |
| /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp | |
| /etc/ssh/moduli | |
| Secure .ssh/config from mozilla | |
| content_copy | |
| # Ensure KnownHosts are unreadable if leaked - it is otherwise easier | |
| to know which hosts your keys have access to. | |
| HashKnownHosts yes | |
| # Host keys the client accepts - order here is honored by OpenSSH | |
| HostKeyAlgorithms | |
| ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 | |
| KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 | |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
| change password ssh-keygen -p -f ~/.ssh/id_dsa | |
| SSH folder permissions | |
| content_copy | |
| $ chmod go-w $HOME $HOME/.ssh | |
| $ chmod 700 $HOME/.ssh | |
| $ chmod 600 $HOME/.ssh/authorized_keys | |
| $ chown `whoami` $HOME/.ssh/authorized_keys | |
| $ chmod 400 $HOME/.ssh/id_{key files }(.pub)? | |
| SSHFS | |
| Mount as user, $sshfs deb@deb:/home/deb/php ~/Live -C -p 9120 -o idmap=user | |
| Unmount as user, $fusermount -u ~/Live |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment