SSH

From YobiWiki
Jump to navigation Jump to search

Notes on upgrading SSH parameters...

ssh-keygen -N "" -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
The key fingerprint is:
0f:9c:b1:d6:ef:74:1d:c7:6c:31:46:1c:f9:a1:fe:b1 root@public
The key's randomart image is:
+---[ECDSA 256]---+
|              .oo|
|              .+ |
|        .     .+o|
|       . =   ..o+|
|        S . .  .=|
|       . o . . +o|
|          . o o +|
|           o . E |
|            .    |
+-----------------+

ssh-keygen -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
The key fingerprint is:
a3:25:8e:ca:4e:d3:10:06:a8:19:6b:40:51:c5:be:3e root@public
The key's randomart image is:
+--[ED25519 256]--+
|+oo.o.           |
|+.   .           |
|o+o .            |
|+o . .           |
|. .   o S        |
|   o + + .       |
|  o + o          |
| o o E           |
| .+   .          |
+-----------------+
+HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key

+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+#Only since OpenSSH 6.8:
+#HostbasedAcceptedKeyTypes ssh-ed25519,ssh-rsa
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

-UsePrivilegeSeparation yes
+UsePrivilegeSeparation sandbox
 
-LogLevel INFO
+LogLevel VERBOSE
 
-Subsystem sftp /usr/lib/openssh/sftp-server
+Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
service sshd restart

See also https://blog.g3rt.nl/upgrade-your-ssh-keys.html