encryption – edafe.de

Install and configure SSH on Debian or Ubuntu

SSH is a protocol that enables secure connections over unsecured networks. It supports the use of asymmetric encryption for user authentication. Private keys are kept locally, while public keys are stored on the remote machine.

The following configuration disables root logins on the remote machine. Only users belonging to the group ssh-users may establish a connection. Access to the remote machine is tied to the local user’s private key.

In this example, the name of the remote machine is yourserver, which has the address 192.168.1.10 on the network. remoteuser is a user on yourserver, whereas localuser is a user on the local machine.

Begin by choosing an encryption passphrase to secure the private key that you will generate in Step 5.

On the remote machine

Step 1

Install the secure shell server on yourserver with the following command:

$ sudo apt install --yes openssh-server

Step 2

If you are using ufw as a host-based firewall

Configure ufw to allow connections to the secure shell server.

$ sudo -- bash -c 'ufw allow ssh && systemctl restart ssh.service'

If you are using firewalld as a host-based firewall

Configure firewalld to allow connections to the secure shell server.

$ sudo -- bash -c 'firewall-cmd --zone=public --add-service=ssh --permanent && firewall-cmd --reload && firewall-cmd --info-zone=public'

Step 3

Restrict access to yourserver to members of a specific group. Start by creating the group ssh-users.

$ sudo addgroup --system ssh-users

Add the user remoteuser to the group ssh-users.

$ sudo adduser remoteuser ssh-users

On the local machine

Step 4

Install the secure shell client with the following command.

$ sudo apt install openssh-client

Step 5

Generate a new key pair for the the user localuser:

$ cd ~/.ssh && ssh-keygen -t ed25519 -o -a 100

Save the key pair to the directory /home/localuser/.ssh/. Choose a name that facilitates easy identification.

Enter file in which to save the key (/home/localuser/.ssh/id_ed25519): id_ed25519-yourserver

The use of an appropriate passphrase to secure the private key is mandatory.

Step 6

Create the file ~/.ssh/config to configure the secure shell client.

$ nano ~/.ssh/config

Add the follwing minimal entry for the host yourserver.

Host yourserver
   Hostname 192.168.1.10
   IdentityFile ~/.ssh/id_ed25519-yourserver
   IdentitiesOnly yes

Step 7

Deploy the public key with the following command.

$ ssh-copy-id -i ~/.ssh/id_ed25519-yourserver.pub remoteuser@yourserver

When prompted to confirm the authenticity of the host yourserver, type yes and press [Enter].

The authenticity of host 'debian-server (192.168.1.10)' can't be established.
ED25519 key fingerprint is SHA256:C9RxLLVbvFwVJc0L4JHzcuHQSaPHJZe/GrRDvqy6rAG.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Step 8

Log into the remote machine.

$ ssh -i ~/.ssh/id_ed25519-yourserver remoteuser@yourserver

In the next step, enter the passphrase for your private key.

Enter passphrase for key '/home/localuser/.ssh/id_ed25519-yourserver':

Step 9

On the remote machine, download this configuration file to harden the ssh server. You are encouraged to inspect its contents.

$ sudo -- bash -c 'wget -P /etc/ssh/sshd_config.d/ --show-progress https://edafe.de/debian/sshd_config.conf'

Activate the modifications on the remote machine.

$ sudo systemctl restart ssh.service

Step 9

On the local machine, open a new terminal window and run the following command.

$ ssh -i ~/.ssh/id_ed25519-yourserver remoteuser@yourserver

In the next step, enter the passphrase for your private key.

Enter passphrase for key '/home/localuser/.ssh/id_ed25519-yourserver':

Display the active configuration for the remote ssh server and verify its settings, paying particular attention to options for maxauthtries, permitrootlogin and passwordauthentication.

$ sudo sshd -T

All done!

For more in-depth information, please see stribika’s post-Snowden advice on hardening OpenSSH server installations.

The book SSH The Secure Shell by Daniel Barrett, Richard Silverman and Robert Byrnes is still useful today and has information on other clever stuff you can do with SSH.

What’s in a PR statement: LastPass breach explained

“LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face. Their statement is also full of omissions, half-truths and outright lies. As I know that not everyone can see through all of it, I thought that I would pick out a bunch of sentences from this statement and give some context that LastPass didn’t want to mention.” Wladimir Palant helps to decode what LastPass had to say about their latest security breach.

palant.info

Scaring people into supporting backdoors

“Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four.” Bruce Schneier re-emphasises the need for strong encryption as a matter of personal and national security.

www.schneier.com

This structure of surveillance will stop us doing things which are right

“We now face the greatest threat to our liberties since the second world war. We are sleepwalking into despotism. Because of the amount of material that is being collected, because these databases, which are not about tiny items of information, will be used and not just by governments. Snowden was working for a corporation. They will be accessed by others in government and because, that’s most important of all, people will start to self-censor. We will find that the very fact of the total surveillance of our activities means that we are going to sort of … it’s not a question, as the foreign minister said, of ‘if you haven’t done anything wrong you have nothing to fear’. [sic] This structure of surveillance will stop us doing things which are right, that we know we should be doing.” Anthony Barnett appearing on yesterday’s BBC Newsnight programme.

Still sending naked email?

“In a world of repressive governments and a growing reliance on insecure networks, there’s no way anyone can be sure their most sensitive messages aren’t intercepted by the forces of darkness. But you can make it mathematically improbable that all but the most well-funded snoops could ever make heads or tales of your communications.” Use Dan Goodin’s step-by-step guide to email encryption and keep your communications private.