Now that we have all the warning nonsense out of the way, let's install and configure Open-SSH. Ubuntu Server provides the ability to install Open-SSH during the installation of the operating system (OS). However, in case we missed this, let's update our repository list:
sudo apt-get update
Now let's install Open-SSH server:
sudo apt-get install openssh-server
Once the install completes, we should now be able to SSH into our server. (Assuming you have the default firewall rules or allowed TCP port 22 (SSH) inbound and outbound). If you have connection issues you may consider issuing the following iptables commands:
sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT
*PLEASE BE ADVISED: This configuration is NOT secure and will allow all traffic inbound and outbound. Never in my life would I use these in a real environment, but for testing purposes, and so we can get this working, I suggest you use the above commands. If you are in a production environment, TEST THIS IN A VM FIRST! Or use the commands presented below at your OWN risk:
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
Now we should be able to SSH to our server using our favorite SSH client. My personal favorite is Putty and this tutorial will assume you are using putty or the default open-ssh client on a Linux desktop.
If you are using a Linux desktop you may issue the following command in terminal:
ssh <your username>@<your server IP or hostname>
If you are using a windows systems, let's use Putty to connect to the server. You may download putty from here:
Be sure to download the installer binary from the link under A Windows installer for everything except PuTTYtel. This will allow you to install putty on your system.
Once downloaded, install Putty by following the installation prompts, and then launch Putty.exe'.
<your username>@<your server ip address or hostname>. Preferably, the IP address, in case there are any DNS resolution issues in your network.
Once successfully logged in, you may continue to generate RSA keys!! If you were unable to log in, please double check the iptables using the following commands:
sudo iptables -l INPUT
sudo iptables -l OUTPUT
Once you've verified these are correct, you may also considered restarting the SSH service:
sudo service ssh restart
By default Open-SSH uses a 2048 bit RSA keys. For the sake of our server, we will increase this to 4096 bits using ssh-keygen and the -b flag.
ssh-keygen -t rsa -b 4096
During the key generation, open-ssh will ask where the keys should be saved. For now we will use the default directory, which is the currently logged in users home directory (/home/<logged in user>/.ssh/) Following this, you will be asked to input a password. Please be sure to enter a password so the private key is safe. Please use the industry standard password guidelines to create a secure password. This tutorial assumes you are already aware of these guidelines.
Once both keys are generated we will transfer them to our system.
Using command prompt (CMD) we can use putty's scp service to transfer both the public and private key-pair from the server to the system we wish to use to connect to the server.
cd C:\Program Files (x86)\PuTTY
pscp.exe <your username>@<your servers ip>:/home/<your username>/.ssh/id_rsa.pub c:\Users\<your username>\Desktop\RSA
pscp.exe <your username>@<your servers ip>:/home/<your username>/.ssh/id_rsa c:\Users\<your username>\Desktop\RSA
In many circumstances, user's home directories are encrypted and Open-SSH cannot access the /home/<username>/.ssh/ directory. For simplicity reasons we will assume the users home directory is encrypted.
To accommodate this issue, we will change directory (cd) using the following command:
We then need to create a directory using the current username.
You should now be able to use see a directory reflecting the currently logged in user.
We can now change directory back to our users home directory:
We now need to copy the content of our public key to an authorized_keys files within the $USER directory previously created. The authorized_keys file is used by Open-SSH to store the public keys for each user. This is to not be confused with a directory or folder, this is a file. We will use catenate (cat) to copy the contents of the public key to authorized_keys:
cat id_rsa.pub >> /etc/ssh/$USER/authorized_keys
We can also use cat to verify the contents were transferred:
You should see an output similar to the following:
If you see a similar output to the one illustrated above, you have successfully copied the contents of the public key.
When using Open-SSH the file and directory permissions are extremely important. This is to protect your servers' public keys from external modification, while also allowing Open-SSH to access the public keys.
Now that we have created the directory structure and copied the necessary files, we can now change the permissions of the /etc/ssh/$USER/ directory and the authorized_keys file. We will make the following permission changes:
sudo chmod 700 /etc/ssh/$USER
sudo chmod 644 /etc/ssh/$USER/authorized_keys
Once the file and directory permission are correct we can verify them using list directory contents (ls) with the -l flag:
ls -l /etc/ssh/$USER
ls -l /etc/ssh/$USER/authorized_keys
Once you've verified the field and directory permissions we can begin to configure Open-SSH.
We are close to the finish line and completing our Open-SSH server configuration! With a few changes to the sshd_config file, we can began to configure our SSH client for key-based authentication.
We will first make a backup of the default Open-SSH configuration:
First change directories to /etc/ssh/.
Now we can backup the Open-SSH configuration:
sudo sshd_config sshd_config_default
We now can begin to edit the Open-SSH configuration. Using Nano, we can edit the Open-SSH configuration.
sudo nano sshd_config
Please make the following changes to the sshd_config file:
*** If you would like to further secure your SSH configuration I would recommend using the following Message Authentication Code (MAC) algorithms, encryption algorithms (ciphers), host key algorithms, and key exchange algorithms.
If any of the above changes have a leading #, remove this also. After making the necessary changes, we can now save the file using ctl + x then using y for yes to save the file and enter to commit to the changes.
Now that all changes have been made, we can restart the Open-ssh server:
sudo service ssh restart
We have officially setup our Open-SSH server for key-based authentication!
Now that we have completed our server setup, we now have to configure our client. For the client configuration, I will demonstrate the configuration for both Linux (Ubuntu), and Windows (Putty).
First copy the private key in the RSA directory to a flash drive. Before connecting the flash drive, let's install Open-SSH client:
sudo apt-get update
sudo apt-get install openssh-client
Once the Open-SSH client has successfully installed, let's create the necessary directory to store our private key:
Once you have created this folder copy your private key form your flash drive into this folder. If you are using Ubuntu server, you will need to determine, which disk your flash drive is using:
sudo fdisk -l
After you have found your flash drive, you can then create a directory to mount it to using:
sudo mkdir /media/flash
sudo mount /dev/<your flash drive> /media/flash
Once the drive is mounted you can now use copy (cp) to copy the private key into the directory:
sudo cp /media/flash/id_rsa ~/.ssh/
Now that we have copied the private key we can now change the permissions so it can be used in Open-SSH:
sudo chmod 700 ~/.ssh
sudo chmod 600 ~/.ssh/id_rsa
Now that we have applied the necessary permissions, we can now connect to our SSH server! Issuing the following command, you should be able to successfully SSH to your server:
ssh <user on your server>@<your servers ip or hostname>
Before you conntect you may recieve a prompt for a password. This prompt is asking for the password you used when creating your SSH keys. Type this password in and you will connect.
Once you've connected you will receive a prompt asking to accept the public key, please type yes if you would like to accept it and connect. You should now be connected to your server!
You can verify you are connected by looking at the
terminal prompt, you will see
username>@<your server hostname> or you can
whoami in the terminal and you will see your
servers username display.
Inside PuTTYgen you will see Conversions at the top. Click Conversions and Import key
After clicking Import key, navigate to the RSA directory and select the private key id_rsa and click open.
PuTTYgen will then load the key. You may then click the Save private key button and save the private key in the RSA directory. I recommend you save it with <your server username>PrivateKey.ppk
Once the key has been saved, open Putty.
In putty you should see the previously save session profile. Click to highlight this profile and then click load.
After the profile has loaded, you should now see your server info in the Host Name section. Now in the left hand pane, click the + next to SSH and then click Auth.
On the right hand pane you should now see Private key file for authentication:, click the browse button below this and browse to your private key, select it, and click open.
After selecting your private key, back in the left hand pane scroll up and select session. This will take you back to the screen you previously started at.
Click your saved session profile again and click save.
Now that you have fully setup your Putty profile with your private key, you can now click open and launch the Putty terminal.
When the terminal launches, you will be prompted to input the password for your private key.
After you enter your password Putty can access the private key and authenticate against your SSH server. Once the authentication process completes, you will automatically login to your user account on the server.
Of course we want to ensure that our SSH server is secure, and we are transmitting data in a secure fashion.
Now we could open Wireshark and begin analyzing packets and what not. I definitely recommend we do this to ensure everything is sound. Plus it keeps us sane. But what if we just want to view that our MAC, Encryption, Host-key, and Key Exchange algorithms are set appropriately?
I ran across a nice little tool that will verify our MAC, Encryption, Host-key, and Key Exchange algorithms are up to par. The nice thing about this tool is it will also tell you which algorithms you need to remove!!! #winning
Andris Raugulis (arthepsy) created an awesome tool called ssh-audit. We will use this tool to audit our configuration and ensure we are only using secure algorithms to transmit data between our client and server.
Begin by downloading ssh-audit from GitHub
git clone https://github.com/arthepsy/ssh-audit.git
Once downloaded, change directory to the folder ssh-audit folder and run the python script as follows:
If you followed the guide above you should get a nice pretty green output similar to what's seen below:
Otherwise you may get something that resembles a Christmas tree with bad presents. Kind of like the image below: