Skip to main content

SSH

The kasad.com server runs an SSH server to provide remote access. It's the standard OpenSSH server provided with Debian, but it has some changes in configuration.

Host key generation

Since the kasad.com server uses the default Debian image template from Vultr, it's a good idea to regenerate the SSH host keys. This just reuqires deleting the current ones and regenerating them using ssh-keygen(1):

# rm /etc/ssh/ssh_host_*_key*
# ssh-keygen -A

Configuration

This is the content of the /etc/ssh/sshd_config file for the kasad.com server:

#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
RekeyLimit default none

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
StrictModes no
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes
AuthorizedKeysFile	.ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
PermitUserEnvironment LANG,LC_*,TZ
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_* TZ

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

Match Address 10.5.19.0/24
	PasswordAuthentication yes
	PermitEmptyPasswords no

Most of the configuration is default. The significant changes are listed below.

Disabling password authentication

Normally, users can log in via SSH by simply providing their username and password. This is disabled on kasad.com, as it allows for brute-force attacks.

PasswordAuthentication no

Exception for VPN connections

Users must be authenticated to connect to the kasad.com VPN. This means we won't by subject to any attacks originating from the VPN, so it's safe to allow password logins for users connecting from the VPN.

We do this by enabling password authentication only if the address of the user matches the VPN subnet.

Match Address 10.5.19.0/24
    PasswordAuthentication yes
    PermitEmptyPasswords no

Disable root login

By default, one can log in as the root user using a public key. We disable this, making it impossible to log in as root. Instead, log in as a normal user and use sudo(8).

PermitRootLogin no

Allow locale environment variables

We want to allow users to define their preferred locale and timezone, so we allow users to set the relevant environment variables when connecting.

PermitUserEnvironment LANG,LC_*,TZ
AcceptEnv LANG LC_* TZ
No Comments
Back to top