- Published on
ssh and openSSL
- Authors
- Name
- Jackson Chen
SSH
https://www.ssh.com/academy/ssh/sshd_config
https://www.ssh.com/academy/ssh/protocol
(SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to provide secure encrypted communications between two untrusted hosts over an insecure network.
Cryptographic policy
Symmetric algorithms for encrypting the bulk of transferred data are configured using the Ciphers option. A good value is aes128-ctr,aes192-ctr,aes256-ctr. This should also provide good interoperability.
Host key algorithms are selected by the HostKeyAlgorithms option. A good value is ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ss/ssh/sshd_config/h-dss.
Key exchange algorithms are selected by the KexAlgorithms option.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,
diffie-hellman-group-exchange-sha256
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1
Verbose logging
It is strongly recommended that LogLevel be set to VERBOSE. This way, the key fingerprint for any SSH key used for login is logged. This information is important for SSH key management, especially in legacy environments.
LogLevel VERBOSE
AuthorizedKeysFile location
Historically, most organizations have not touched the location of the authorized keys files. This means they are in each user's home directory, and each user can configure additional permanent credentials for themselves and their friends. They can also add additional permanent credentials for any service account or root account they are able to log into. This has lead to massive problems in large organizations around managing SSH keys.
We strongly recommend that organizations establish proper life cycle management for key-based credentials, and set the related options as part of this process. See SSH key management and contact us for additional help.
AuthorizedKeysFile /etc/ssh/authorized-keys/%u
# Enterprises should also pay attention to the options
AuthorizedKeysCommand
AuthorizedKeysCommandUser
Root login
For enterprise use, root access should generally go through a privileged access management system.
# To disable passwords for root, but still allow key-based access without forced command
PermitRootLogin prohibit-password
# To disable passwords and only allow key-based access with a forced command
PermitRootLogin forced-commands-only
Login banner
Many enterprises, especially in the government, may want to print a login banner with legal warnings before asking for a password. The Banner option does this. If this option is specified, the contents of the file will be printed to the client before login.
Banner /etc/banner
ssh debugging
How to redirect ssh ssh debug info into the file
# debug ssh to localhost
ssh -vvv localhost
# debug ssh to remote host as the same login name
ssh -vvv <remote-ip>
# debug ssh to remove host as remote user
ssh -vvv <remote-user>@<remote-ip>
# Redirect ssh debug info to log file
ssh -vvv root@<remote-ip> > /tmp/ssh-result.txt 2>%1
ssh -vvv root@<remote-ip> 2>/tmp/result.txt
# The best way is using logsave
logsave result.txt ssh -vvv root@<remote-ip>
ssh commands
man ssh
ssh [-46AaCfGgKkMNnqsTtVvXxYy]
[-B bind_interface]
[-b bind_address]
[-c cipher_spec]
[-D [bind_address:]port]
[-E log_file]
[-e escape_char]
[-F configfile]
[-I pkcs11]
[-i identity_file]
[-J destination]
[-L address]
[-l login_name]
[-m mac_spec]
[-O ctl_cmd]
[-o option]
[-P tag]
[-p port]
[-R address]
[-S ctl_path]
[-W host:port]
[-w local_tun[:remote_tun]]
destination
[command [argument ...]]
[-Q query_option]