Difference between revisions of "SSH"

From YobiWiki
Jump to navigation Jump to search
m
m
 
(2 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
<pre>
 
<pre>
 
ssh-keygen -N "" -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
 
ssh-keygen -N "" -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
  +
The key fingerprint is:
  +
0f:9c:b1:d6:ef:74:1d:c7:6c:31:46:1c:f9:a1:fe:b1 root@public
  +
The key's randomart image is:
  +
+---[ECDSA 256]---+
  +
| .oo|
  +
| .+ |
  +
| . .+o|
  +
| . = ..o+|
  +
| S . . .=|
  +
| . o . . +o|
  +
| . o o +|
  +
| o . E |
  +
| . |
  +
+-----------------+
  +
 
ssh-keygen -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
 
ssh-keygen -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
  +
The key fingerprint is:
  +
a3:25:8e:ca:4e:d3:10:06:a8:19:6b:40:51:c5:be:3e root@public
  +
The key's randomart image is:
  +
+--[ED25519 256]--+
  +
|+oo.o. |
  +
|+. . |
  +
|o+o . |
  +
|+o . . |
  +
|. . o S |
  +
| o + + . |
  +
| o + o |
  +
| o o E |
  +
| .+ . |
  +
+-----------------+
 
</pre>
 
</pre>
   
Line 12: Line 41:
 
+HostKey /etc/ssh/ssh_host_ecdsa_key
 
+HostKey /etc/ssh/ssh_host_ecdsa_key
   
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
  +
+#Only since OpenSSH 6.8:
  +
+#HostbasedAcceptedKeyTypes ssh-ed25519,ssh-rsa
 
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
 
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Line 29: Line 60:
 
service sshd restart
 
service sshd restart
 
</pre>
 
</pre>
  +
  +
See also https://blog.g3rt.nl/upgrade-your-ssh-keys.html

Latest revision as of 16:44, 2 January 2017

Notes on upgrading SSH parameters...

ssh-keygen -N "" -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
The key fingerprint is:
0f:9c:b1:d6:ef:74:1d:c7:6c:31:46:1c:f9:a1:fe:b1 root@public
The key's randomart image is:
+---[ECDSA 256]---+
|              .oo|
|              .+ |
|        .     .+o|
|       . =   ..o+|
|        S . .  .=|
|       . o . . +o|
|          . o o +|
|           o . E |
|            .    |
+-----------------+

ssh-keygen -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
The key fingerprint is:
a3:25:8e:ca:4e:d3:10:06:a8:19:6b:40:51:c5:be:3e root@public
The key's randomart image is:
+--[ED25519 256]--+
|+oo.o.           |
|+.   .           |
|o+o .            |
|+o . .           |
|. .   o S        |
|   o + + .       |
|  o + o          |
| o o E           |
| .+   .          |
+-----------------+
+HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key

+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+#Only since OpenSSH 6.8:
+#HostbasedAcceptedKeyTypes ssh-ed25519,ssh-rsa
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

-UsePrivilegeSeparation yes
+UsePrivilegeSeparation sandbox
 
-LogLevel INFO
+LogLevel VERBOSE
 
-Subsystem sftp /usr/lib/openssh/sftp-server
+Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
service sshd restart

See also https://blog.g3rt.nl/upgrade-your-ssh-keys.html