SSH Basics

The Secure Shell Protocol (SSH Protocol) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

Keys

Generate new set of keys

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""

Check existing key

ssh-keygen -lf ~/.ssh/id_ed25519.pub

Check existing cert

ssh-keygen -Lf ~/.ssh/id_ed25519-cert.pub

Config

Host

Host config sshd_config(5)

Check loaded SSH config

sudo sshd -T

Example SSHD Config

/etc/ssh/sshd_config

PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

PermitTunnel no
AllowTcpForwarding no

PermitRootLogin yes
Match User root
    PasswordAuthentication no
    AllowTcpForwarding yes
Match User backup-tunnel
    AllowTcpForwarding local
    PermitOpen 127.0.0.1:445

Check SSH daemon

sudo systemctl status sshd --no-pager

The host needs to be configured to trust the SSH user CA as well as to use its own cert.

ConfigSetup Command

SSHD Cert Config

TrustedUserCAKeys /etc/ssh/ssh_user_ca.pub
HostKey /etc/ssh/ssh_host_ed25519_key
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub

SSHD Cert Config

cat <<EOF > /etc/ssh/sshd_config.d/certs.conf
TrustedUserCAKeys /etc/ssh/ssh_user_ca.pub
HostKey /etc/ssh/ssh_host_ed25519_key
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
EOF

sudo systemctl reload sshd && \
sudo systemctl restart sshd

This command will configure SSHD for using certs and reload/restart the service daemon.

Client

Client config ssh_config(5)

Example SSH client config

~/.ssh/config

Host appdaemon
  User appdaemon
  HostName 192.168.1.242

Host *
  ForwardAgent no
  IdentitiesOnly yes
  User john
  ServerAliveInterval 0
  ServerAliveCountMax 3
  Compression no
  AddKeysToAgent yes
  HashKnownHosts no
  UserKnownHostsFile ~/.ssh/known_hosts
  IdentityFile ~/.ssh/id_ed25519
  IdentityAgent ~/.1password/agent.sock
  CertificateFile ~/.ssh/id_ed25519-cert.pub

  SetEnv TERM="xterm-256color"