Client Configuration

Typical end-user SSH configuration needs.

See Create Certificates for generating certificates to use.

Generate 4096bit RSA keys.
ssh-keygen -b 4096 -t rsa -f {KEYNAME}
chmod 0600 {KEYNAME}
chmod 0640 {KEYNAME}.pub
Add Public Key to Authorized Keys for Use.
cat {KEYNAME}.pub >> ~/.ssh/authorized_keys

Restricting SSH Tunneling

Restrict what local ports and IP’s can be accessed via SSH tunneling.

All on one line, comma separated with the public key cert afterwards.

  • no-port-forwarding: disable all port forwarding.

  • no-X11-forwarding: disable X11 forwarding.

  • no-agent-forwarding: disable agent forwarding.

  • permitopen: explicitly allow port to be opened.

Disable X11 forwarding but allow ports 80,4243,32400 to be forwarded.

0600 user user ~/.ssh/authorized_keys
no-X11-forwarding,permitopen="localhost:80",permitopen="localhost:4243",permitopen="10.10.10.10:32400" {PUBKEY DUMP}

Allow connection, but disables all forwarding.

0600 user user ~/.ssh/authorized_keys
no-port-forwarding {PUBKEY DUMP}

SSH Host Configuration

Setup SSH to automatically select correct options when using hosts/shortcuts. See detailed explanation on config file. internal-sftp is the default now and is built from the same code as sftp-server but also includes support for ChrootDirectories.

0600 user user ~/.ssh/config
# Autoselect github keys
Host *.github.com github.com
  User {GITHUB USERNAME}
  HostName *.github.com github.com
  Port 443
  PreferredAuthentications publickey
  IdentityFile ~/.ssh/github

Host {CUSTOM NAME}
  HostName {HOST IP OR DNS}
  User {USER TO AUTH AS}
  IdentityFile ~/.ssh/{CERT}
  BatchMode yes
  CheckHostIP no
  PasswordAuthentication no
  KbdInteractiveAuthentication no
  PreferredAuthentications publickey
  StrictHostKeyChecking no
  Port {SSH SERVER PORT}

Importing RSA Keys for Putty/WinSCP on Windows

See Puttygen Documentation.

  1. Copy RSA private key to windows computer.

  2. ⌘ + r › puttygen › Conversions › Import Key (Select Private Key)

  3. Rename Key Comment to user@server.

  4. Save private key in a .ppk file to local machine.

  5. Delete RSA keys (use sdelete64).

  6. Update public key in authorized_keys file with comment about key being used.