Better Secure Shell (SSH)

I highly recommend using SSH Public Key Authentication and a customized SSH client configuration to ease your everyday SSH workflows. I have more than 10 servers that I manage on a daily basis and using a password for each one would be tedious. Using the same password for all of them is definitely not recommended and is a risky decision. This post will be updated as I incorporate new and relevant changes to my setup.

The first thing you need to incorporate SSH PKI is to create a key pair. There are several choices according to my current version of SSH:

-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa

I use ed25519 as my primary and rsa as my secondary for older servers. Generating the keys using the following commands:

ssh-keygen -t ed25519 -o -a 100
ssh-keygen -t rsa -b 4096 -o -a 100

Below is the command line (CLI) output I use to generate my primary public key:

tankmek@pop-os:~/.ssh$ ssh-keygen -t ed25519 -o -a 100 -f cloud-ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in cloud-ed25519
Your public key has been saved in cloud-ed25519.pub
The key fingerprint is:
SHA256:TveNjDgKh0OS7NSS6goP9NSFpU7NhmS6/2S7v2qbF8A tankmek@pop-os
The key's randomart image is:
+--[ED25519 256]--+
|     o .         |
|    + B          |
|   . =.=         |
| . += oE         |
| .Booo  S .      |
|.+o+.. o + + o   |
|+ ..+..o+ o + .  |
|oo   ++ooo       |
|o..   oB*o.      |
+----[SHA256]-----+

Move the public and private keys to your .ssh directory and copy the public key to the appropriate server(s).

ssh-copy-id -i ~/.ssh/cloud-ed25519.pub  user@ssh.host.com

Now we need to edit our SSH client configuration file to use this file and save some typing:

 Host *.fakelabs.io
   User smurf
   IdentityFile ~/.ssh/cloud-ed25519

 Host bitcoin
   Hostname bitcoin.fakelabs.org
   User yagami
   Port 3312
   IdentityFile ~/.ssh/honey_ed25519
 ;-----------------

 Host sw0
   Hostname 10.10.14.254
   User michael
   KexAlgorithms diffie-hellman-group-exchange-sha1
   Ciphers aes256-cbc
   MACs hmac-sha1
   PreferredAuthentications=password

 Host github.com
   Hostname github.com
   User git
   IdentityFile ~/.ssh/github-ed25519

 Host miner
   Hostname 10.10.16.87
   User miner
   Port 2220
   IdentityFile ~/.ssh/crytpo-ed25519

 Host nas
   Hostname 10.10.16.12
   User storage
   IdentityFile ~/.ssh/cloud-ed25519
   PreferredAuthentications=password
 

 Host *
   ServerAliveInterval 120
   ServerAliveCountMax 20
   PreferredAuthentications=publickey
   AddressFamily inet
   Protocol 2
   IdentitiesOnly=yes
   Compression yes
   Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
   MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
   KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

 

The SSH man page covers the configuration file in detail, but notice I have several keys for different sites and I have added additional convenience options such as username and hostnames. All of the configuration options above allow me to connect a remote server using abbreviated ssh commands like the following:

ssh nas  # This connects me to my NAS
ssh sw0  # This connects me to a cisco switch

If you setup an\ ssh-agent you will only have to type the password once per sessions, but we will talk about that in another update.

Thanks for reading.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: