Difference between revisions of "Sshd"
Jump to navigation
Jump to search
(Created page with "# Secure with specific ciphers ``` ~]$ sudo sshd -T | grep ^macs macs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.co...") |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 12: | Line 12: | ||
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 | kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 | ||
macs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 | macs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 | ||
| + | ``` | ||
| + | |||
| + | ``` | ||
| + | sudo systemctl restart sshd | ||
| + | ``` | ||
| + | |||
| + | ## Check via ssh scan | ||
| + | https://sshcheck.com/ | ||
| + | |||
| + | which is probably this parsed and prettied | ||
| + | ``` | ||
| + | sudo nmap -sV --script ssh2-enum-algos ssh.example.org -p 22 | ||
| + | ``` | ||
| + | |||
| + | Dockerfile run in foreground | ||
| + | ``` | ||
| + | EXPOSE 22 | ||
| + | CMD ["/usr/sbin/sshd", "-D"] | ||
| + | |||
| + | ``` | ||
| + | |||
| + | Nonroot | ||
| + | |||
| + | ``` | ||
| + | #!/bin/bash | ||
| + | set -eux | ||
| + | mkdir -p ${HOME}/custom_ssh | ||
| + | ssh-keygen -f ${HOME}/custom_ssh/ssh_host_rsa_key -N '' -t rsa | ||
| + | ssh-keygen -f ${HOME}/custom_ssh/ssh_host_dsa_key -N '' -t dsa | ||
| + | |||
| + | cat << EOF > ${HOME}/custom_ssh/sshd_config | ||
| + | Port 2222 | ||
| + | HostKey ${HOME}/custom_ssh/ssh_host_rsa_key | ||
| + | HostKey ${HOME}/custom_ssh/ssh_host_dsa_key | ||
| + | AuthorizedKeysFile .ssh/authorized_keys | ||
| + | ChallengeResponseAuthentication no | ||
| + | UsePAM yes | ||
| + | Subsystem sftp /usr/lib/ssh/sftp-server | ||
| + | PidFile ${HOME}/custom_ssh/sshd.pid | ||
| + | EOF | ||
| + | |||
| + | /usr/local/bin/sshd -f ${HOME}/custom_ssh/sshd_config | ||
| + | echo "----- Process ID : ${HOME}/custom_ssh/sshd.pid -------" | ||
``` | ``` | ||
Latest revision as of 06:12, 21 October 2023
Secure with specific ciphers
~]$ sudo sshd -T | grep ^macs macs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 ~]$ sudo sshd -T | grep ^kexa kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
/etc/ssh/sshd_config
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 macs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
sudo systemctl restart sshd
Check via ssh scan
which is probably this parsed and prettied
sudo nmap -sV --script ssh2-enum-algos ssh.example.org -p 22
Dockerfile run in foreground
EXPOSE 22 CMD ["/usr/sbin/sshd", "-D"]
Nonroot
#!/bin/bash
set -eux
mkdir -p ${HOME}/custom_ssh
ssh-keygen -f ${HOME}/custom_ssh/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -f ${HOME}/custom_ssh/ssh_host_dsa_key -N '' -t dsa
cat << EOF > ${HOME}/custom_ssh/sshd_config
Port 2222
HostKey ${HOME}/custom_ssh/ssh_host_rsa_key
HostKey ${HOME}/custom_ssh/ssh_host_dsa_key
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
UsePAM yes
Subsystem sftp /usr/lib/ssh/sftp-server
PidFile ${HOME}/custom_ssh/sshd.pid
EOF
/usr/local/bin/sshd -f ${HOME}/custom_ssh/sshd_config
echo "----- Process ID : ${HOME}/custom_ssh/sshd.pid -------"