arvb.net

SSH

2 min read

SSHD

SSHD (the SSH daemon) controls how users can log in. Common options are key vs password authentication, root login, allow users, and allow groups.

To configure sshd, modify /etc/ssh/sshd_config.

SSH Tunnelling works by routing traffic via SSH to access devices inside a the network where the sshed-to device is.

SFTP with chroot

SFTP with chroot restricts filesystem access during encrypted file transfers. The chroot part will lock in users to a specific environment. This can be done with the following sshd_config:

Match Group sftpusers
ChrootDirectory /home/sftp/%u # a per-user home dir
ForceCommand internal-sftp

Generate SSH keys

ssh-keygen -t [OPTIONS]

Note than RSA should be avoided, unless ed25519 is not available.

Configure multiple keys for different servers

To manage different keys for different servers, create an ssh config file:

~/.ssh/config

In it, use the following synstax:

Host github.com
  HostName github.com
  User git
  IdentityFile ~/.ssh/_id_rsa
  IdentitiesOnly yes

Additionally, we can change the Host header while keeping the appropriate HostName to access servers as an alias, such that

Host myserver
	HostName ssh.steve.com

Allows an SSH connection into ssh.steve.com by simply running ssh myserver

Note, too, that to avoid entering SSH passwords every time we should add

	AddKeysToAgent yes
	UseKeychain yes

Send SSH pub key to server

Use the ssh-copy-id command to send the appropriate files to the server. Note that if using a different file name (which would be the case if followed above steps), the command structure is as follows:

ssh-copy-id -i ~/.ssh/path/to/key USER@SERVER

Note that the command does NOT require a references to the .pub file, just the key itself.

Using hostnames instead of IPs

For LAN connections, ensure that a DNS record is set for the host name. On a Pi-Hole, for instance, set a DNS record named anachreon.earth to point at 192.168.1.98.

Then use anachreon.earth in the ssh config file.

Fail2Ban

/etc/fail2ban/jail.conf is the main config file, although best practice is to create a jail.local file to avoid touching the main configuration.

[sshd]
enabled = true
bantime = 4w
maxretry = 3
port = ssh
filter = sshd
logpath = /var/log/auth.log

The primary log file is /var/log/fail2ban.log. We can see IP bans with fail2ban-client status sshd.

To unblock a banned address: fail2ban set [jail] unbanip [ip-address].

Graph View

Backlinks