SSHD Linux Setup

Secure Shell.

Centralize Authorized Key Files

Redirect all key files to a specific directory and link to users; allowing for easier central management of keys.

Create secured user certificate directory.

mkdir /etc/ssh/authorized_keys/{USER}
chown {USER}:{USER} /etc/ssh/authorized_keys/{USER}
chmod 0700 /etc/ssh/authorized_keys/{USER}

Move existing user ssh configuration to central location and link if needed.

mv /home/{USER}/.ssh/* /etc/ssh/authorized_keys/{USER}
ln -s /etc/ssh/authorized_keys/{USER} /home/{USER}/.ssh

Secure SSHD Config

This will provide a default configuration which only allows non-root public key authenticated users to login. Public keys are setup to use /etc/ssh/authorized_keys/{USER} for authenticating the user.

0644 root root /etc/ssh/sshd_config

Port 22
Protocol 2

AcceptEnv LANG LC_*
AllowAgentForwarding no
AllowGroups ssh
AuthorizedKeysFile  /etc/ssh/authorized_keys/%u
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostbasedAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
KerberosAuthentication no
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
KeyRegenerationInterval 3600
LogLevel INFO
LoginGraceTime 120
MaxAuthTries 3
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
PrintLastLog yes
PrintMotd no
PubkeyAuthentication yes
RSAAuthentication no
RhostsRSAAuthentication no
ServerKeyBits 1024
StreamLocalBindUnlink yes
StrictModes yes
Subsystem sftp internal-sftp
SyslogFacility AUTH
TCPKeepAlive yes
UseDNS no
UsePAM yes
UsePrivilegeSeparation yes
X11DisplayOffset 10
X11Forwarding yes

Add Users to Access Group

Add {USER} to ssh group to enable ssh service access.

addgroup {USER} ssh

Restart SSH service to load changes.

systemctl restart ssh

Allow SSH Connections Through UFW

UFW may be configured by default to block connections, verify this is not the case. The general default is to deny incoming connections, allow outgoing, and enable SSH.

Get current status.

ufw status

Deny incoming connections except SSH, allow outgoing.

ufw default deny incoming
ufw default allow outgoing
ufw allow ssh

Tip

Know what services are running. Blocking all incoming connections might not be what you want to do.

Create a Port Forwarding Only User

Useful to forward services without providing shell a login.

Add port forwarding user and generate key.

adduser --disabled-password --home /etc/ssh/port-forwards-only --shell /bin/false port-forwards-only
addgroup port-forwards-only ssh
mkdir /etc/ssh/port-forwards-only
chmod 0700 /etc/ssh/port-forwards-only
chown port-forwards-only:port-forwards-only /etc/ssh/port-forwards-only
ssh-keygen -b 4096 -t rsa -f /etc/ssh/port-forwards-only/port-forwards-only
cat /etc/ssh/port-forwards-only/port-forwards-only.pub >> /etc/ssh/port-forwards-only/authorized_keys

See Restricting SSH Tunneling add only permitopen lines.

Verify Restrictions

Attempt to login with a shell as well as port forwarding working.

Verify port forwarding user cannot actually get a shell.

ssh -vvv -N -L 5901:{SERVER}:5900 -i ~/.ssh/port-forwards-only port-forwards-only@{SERVER}
ssh -vvv -i ~/.ssh/port-forwarding-only port-forwards-only@{SERVER}
ssh -vvv -i port-forwards-only@{SERVER}

Note

Only port forwarding should work (-N). Interactive logins with and without cert should fail.

References