First and foremost, the client has ipfw enabled and the firewall ruleset is configured in /etc/ipfw.conf. ipfw has been configured to block all inbound traffic and block all outbound traffic except for the ports and IP addresses that are necessary for connecting to the OpenSSH server. The server is running FreeBSD 8.2.
FreeBSD 8.2 - sshd on a.b.c.d:21465 pf | <--------Internet----------> | ipfw OS X Lion - ssh client
To start with, install coreutils and apg on the client. coreutils and apg can be obtained from Mac ports and can be installed as follows:
client: $ sudo port install coreutils
client: $ sudo port install apg
Before generating a public/private keypair, generate a strong passphrase for the private key. It is important to store this passphrase in a secure location, not on a computer.
client: $ openssl rand -base64 1000 | shasum-5.12 -a 512 | apg -M SNCL -a 1 -m 20 -x 20
Depending on the version of OpenSSH (should be using latest stable for the OS), ECDSA may be used in addition to DSA and RSA. Certificates may also be used for user and host authentication. See the ssh-keygen man page for details. Generate the keypair using the following command. When prompted for the passphrase, use the output from the above command.
client: $ ssh-keygen -b 4096 -t rsa -C"$(id -un)@$hostname)-$(gdate --rfc-3339=date)"
Here is an example of how to use ssh-keygen to generate a public/private keypair using the Eliptic Curve Digital Signature Algorithm. Both the client and server must be running a version of OpenSSH >= 5.7.
client: $ ssh-keygen -b 521 -t ecdsa -C"$(id -un)@$hostname)-$(gdate --rfc-3339=date)"
Now, we need to push the public key to the server and place it in the authorized_keys file of the user that we are going to log in as over ssh.
The ssh-copy-id command can be used to automate this process. On the OS X client, the ssh-copy-id command does not come preinstalled with SSH. The ssh-copy-id command can be obtained from http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/security/ssh-copy-id/files/ssh-copy-id?rev=1.1;content-type=text%2Fplain.
After downloading the script, change its permissions and place it in the path.
At this point, the server should be running OpenSSH on port 22 with the default configuration. Transfer the public key with the following command:
client: $ ssh-copy-id -i ~/.ssh/id_xxxyy.pub bryan@a.b.c.d \
It is time to setup connection sharing. Create the following file if it does not currently exist.
client: $ ls -l ~/.ssh/config -rw------- 1 bryan scclp 104 Aug 13 10:55 config
At this point, the server should be running OpenSSH on port 22 with the default configuration. Transfer the public key with the following command:
client: $ ssh-copy-id -i ~/.ssh/id_xxxyy.pub bryan@a.b.c.d \
It is time to setup connection sharing. Create the following file if it does not currently exist.
client: $ ls -l ~/.ssh/config -rw------- 1 bryan scclp 104 Aug 13 10:55 config
The file should contain these lines.
ServerAliveInterval 60 Host a.b.c.d ControlMaster auto ControlPath ~/.ssh/sockets/%r@%h:%p
The goal is to only allow connections to the server in AES 256 Counter mode, with umac-64 or hmac-ripemd160 MACs, and compression, on a non-standard SSH port from a designated IP range using public key authentication. Connections will also be throttled and SSHGuard along with a few custom PF rules on the server will be used to block and log attackers. The commands that the client will use to connect to the server will look like this:client:
$ alias sshconnect="ssh -l bryan a.b.c.d -p 21465 -C -c aes256-ctr -m umac-64@openssh.com,hmac-ripemd160 client:
$ alias sshtunnel="ssh -v -ND 8090 bryan@a.b.c.d -p 21465 -C -c aes256-ctr -m umac-64@openssh.com,hmac-ripemd160 client:
$ alias sshmonitor="yes | pv | ssh -l bryan a.b.c.d -p 21465 -C -c aes256-ctr -m umac-64@openssh.com,hmac-ripemd160 \"cat > /dev/null\"" client:
$ alias sshportforward="ssh -f bryan@a.b.c.d -p 21465 -C -c aes256-ctr -m umac-64@openssh.com,hmac-ripemd160 -L 15478:localhost:15479 -N" client:
$ alias sshportforward2="ssh -f bryan@a.b.c.d -p 21465 -C -c aes256-ctr -m umac-64@openssh.com,hmac-ripemd160 -L 17293:localhost:17294 -N"
Alternatively, Ciphers, MACs, and compression can be specified in the user config file as follows:
ServerAliveInterval 60
Host host.name.com
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h:%p
Port 21465
User bryan
Ciphers aes256-ctr
Compression yes
MACs umac-64@openssh.com,hmac-ripemd160
StrictHostKeyChecking yes
User and Host certificates provide a more convenient method of authentication for multiple clients (users) and servers (hosts). Certificate revocation can also provide an easier method of quickly invalidating user access.A certificate authority key pair is first generated as follows. The ca is then placed in the /etc/ssh directory on the host.
ca $ ssh-keygen -t ecdsa -b 521 -f user_ca server $ sudo mv user_ca* /etc/ssh/
On the client, generate a public/private key pair and then copy the public key to the server so that it can be signed with the ca. Make sure to set the validity period of the certificate. Alternatively, a host key may be signed with a ca key that is stored in a PKCS11 token. OpenSSH supports ca keys stored PCKS11 tokens. Check the version of SSH and see ssh-keygen for more information.client
client $ ssh-keygen -t ends -b 521 -f ~/.ssh/id_ecdsa
client $ scp .ssh/id_ecdsa.pub bryan@server-ca:~/user_public_keys
server-ca $ ssh-keygen -s /etc/ssh/user_ca \
-O source-address=clientip
-O permit-pty
-O no-port-forwarding
-O no-user-rc
-O no-x11-forwarding \ -V -1d:+52w1d -z 6739301351 -I "bryan" -n bryan,clienthostname id_ecdsa.pub
id "bryan" serial 6739301351 for bryan,clienthostname valid from 2011-08-18T15:05:24 to 2012-08-17T15:05:24
Copy the signed user cert back to the client.
client $ scp bryan@server:~/user_public_keys/id_ecdsa-cert.pub ~/.ssh/
Setup TrustedUserCAKeys and AuthorizedPrincipalsFile files. Subsequently, set appropriate options in /etc/ssh/sshd_config on the server.
server-ca $ sudo cat /etc/ssh/user_ca.pub > /etc/ssh/trusted_user_ca_keys
Modify /etc/ssh/authorized_principals to include the following lines.bryan from="clientip" bryan
Modify /etc/ssh/sshd_config on the server to include the following lines
TrustedUserCAKeys /etc/ssh/trusted_user_ca_keys
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
Now, restart sshd on the server and add an appropriate host configuration for certificate authentication to ~/.ssh/config on the client.
Last of all, setup a host certification via the -h option with ssh-keygen when signing a host key.
It is important to always keep OpenSSH updated with the latest, stable version that has been released for the operating system.
ServerAliveInterval 60 Host a.b.c.d ControlMaster auto ControlPath ~/.ssh/sockets/%r@%h:%p
The goal is to only allow connections to the server in AES 256 Counter mode, with umac-64 or hmac-ripemd160 MACs, and compression, on a non-standard SSH port from a designated IP range using public key authentication. Connections will also be throttled and SSHGuard along with a few custom PF rules on the server will be used to block and log attackers. The commands that the client will use to connect to the server will look like this:client:
$ alias sshconnect="ssh -l bryan a.b.c.d -p 21465 -C -c aes256-ctr -m umac-64@openssh.com,hmac-ripemd160 client:
$ alias sshtunnel="ssh -v -ND 8090 bryan@a.b.c.d -p 21465 -C -c aes256-ctr -m umac-64@openssh.com,hmac-ripemd160 client:
$ alias sshmonitor="yes | pv | ssh -l bryan a.b.c.d -p 21465 -C -c aes256-ctr -m umac-64@openssh.com,hmac-ripemd160 \"cat > /dev/null\"" client:
$ alias sshportforward="ssh -f bryan@a.b.c.d -p 21465 -C -c aes256-ctr -m umac-64@openssh.com,hmac-ripemd160 -L 15478:localhost:15479 -N" client:
$ alias sshportforward2="ssh -f bryan@a.b.c.d -p 21465 -C -c aes256-ctr -m umac-64@openssh.com,hmac-ripemd160 -L 17293:localhost:17294 -N"
Alternatively, Ciphers, MACs, and compression can be specified in the user config file as follows:
ServerAliveInterval 60
Host host.name.com
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h:%p
Port 21465
User bryan
Ciphers aes256-ctr
Compression yes
MACs umac-64@openssh.com,hmac-ripemd160
StrictHostKeyChecking yes
User and Host certificates provide a more convenient method of authentication for multiple clients (users) and servers (hosts). Certificate revocation can also provide an easier method of quickly invalidating user access.A certificate authority key pair is first generated as follows. The ca is then placed in the /etc/ssh directory on the host.
ca $ ssh-keygen -t ecdsa -b 521 -f user_ca server $ sudo mv user_ca* /etc/ssh/
On the client, generate a public/private key pair and then copy the public key to the server so that it can be signed with the ca. Make sure to set the validity period of the certificate. Alternatively, a host key may be signed with a ca key that is stored in a PKCS11 token. OpenSSH supports ca keys stored PCKS11 tokens. Check the version of SSH and see ssh-keygen for more information.client
client $ ssh-keygen -t ends -b 521 -f ~/.ssh/id_ecdsa
client $ scp .ssh/id_ecdsa.pub bryan@server-ca:~/user_public_keys
server-ca $ ssh-keygen -s /etc/ssh/user_ca \
-O source-address=clientip
-O permit-pty
-O no-port-forwarding
-O no-user-rc
-O no-x11-forwarding \ -V -1d:+52w1d -z 6739301351 -I "bryan" -n bryan,clienthostname id_ecdsa.pub
id "bryan" serial 6739301351 for bryan,clienthostname valid from 2011-08-18T15:05:24 to 2012-08-17T15:05:24
Copy the signed user cert back to the client.
client $ scp bryan@server:~/user_public_keys/id_ecdsa-cert.pub ~/.ssh/
Setup TrustedUserCAKeys and AuthorizedPrincipalsFile files. Subsequently, set appropriate options in /etc/ssh/sshd_config on the server.
server-ca $ sudo cat /etc/ssh/user_ca.pub > /etc/ssh/trusted_user_ca_keys
Modify /etc/ssh/authorized_principals to include the following lines.bryan from="clientip" bryan
Modify /etc/ssh/sshd_config on the server to include the following lines
TrustedUserCAKeys /etc/ssh/trusted_user_ca_keys
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
Now, restart sshd on the server and add an appropriate host configuration for certificate authentication to ~/.ssh/config on the client.
Last of all, setup a host certification via the -h option with ssh-keygen when signing a host key.
It is important to always keep OpenSSH updated with the latest, stable version that has been released for the operating system.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.