User Tools

Site Tools


user:nbrimme1:portfolio:openssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
user:nbrimme1:portfolio:openssh [2018/06/09 18:44]
nbrimme1 [SSH Server Configuration]
user:nbrimme1:portfolio:openssh [2018/07/16 23:46] (current)
nbrimme1 [Prerequisites]
Line 7: Line 7:
 =====Objectives===== =====Objectives=====
 State the purpose of this project. What is the point of this project? What do we hope to accomplish by undertaking it? State the purpose of this project. What is the point of this project? What do we hope to accomplish by undertaking it?
 +
 +Go from this (old and busted default sshd):
 +{{http://​lab46.corning-cc.edu/​~nbrimme1/​SSH-Before.jpg|SSH-Before}}
 +
 +To this (new hotness super secure sshd):
 +{{http://​lab46.corning-cc.edu/​~nbrimme1/​SSH-After.jpg|SSH-After}}
 +
 +Help Matt with Lab46'​s sshd:
 +{{http://​lab46.corning-cc.edu/​~nbrimme1/​SSH-Lab46.jpg|SSH-Lab46}}
 =====Prerequisites===== =====Prerequisites=====
 In order to successfully accomplish/​perform this project, the listed resources/​experiences need to be consulted/​achieved:​ In order to successfully accomplish/​perform this project, the listed resources/​experiences need to be consulted/​achieved:​
  
-  * resource1 +  * Your user files in ~/.ssh/ 
-  * resource2 +  * Access rights to system files in /etc/ssh/ 
-  * resource3 +  * [[https://​github.com/​arthepsy/​ssh-audit|ssh-audit]]
-  * experience1 +
-  * experience2 +
-  * etc.+
  
 =====Background===== =====Background=====
Line 42: Line 48:
  
 ====Key Generation==== ====Key Generation====
-<code bash>## -C Comment, not needed for host keys +<code bash>## -C "Comment", not needed for host keys 
-## -N ' ' new (blank) ​passphrase +## -p  Request to change ​passphrase 
-## -o bcrypt key derivation function, implied with ED25519 +## -f <​filename> ​ Output filename ​of key file 
-## -a # number ​of rounds for bcrypt ​key derivation + 
-## -p request to change passphrase +## DSA: **NO LONGER ALLOWED; OpenSSH >=7.0 
-# DSA: **NO LONGER ALLOWED; OpenSSH >=7.0 +$> ssh-keygen -f /​etc/​ssh/​ssh_host_dsa_key ​
-$> ssh-keygen -f /​etc/​ssh/​ssh_host_dsa_key -N ''​ -t dsa + -t dsa \  # -t <​type> ​ Key type 
-# ECDSA: *OpenSSH >=5.7 + -N '' ​    # -N '' ​     New (blank) passphrase 
-$> ssh-keygen -f /​etc/​ssh/​ssh_host_ecdsa_key -N ''​ -t ecdsa +## ECDSA: *OpenSSH >=5.7 
-# ED25519: All keys 256-bit , *OpenSSH >=6.5 +$> ssh-keygen -f /​etc/​ssh/​ssh_host_ecdsa_key ​
-$> ssh-keygen -f /​etc/​ssh/​ssh_host_ed25519_key -N ''​ -t ed25519 ​-o -a 100 + -t ecdsa \  # -t <​type> ​ Key type 
-# RSA: Min:1024, Recommended/​Default:​2048,​ Max:16384 + -N '' ​      # -N '' ​     New (blank) passphrase 
-$> ssh-keygen -f /​etc/​ssh/​ssh_host_rsa_key ​-N '' ​-t rsa -b 4096 -o -a 100+## ED25519: All keys 256-bit , *OpenSSH >=6.5 
 +$> ssh-keygen -f /​etc/​ssh/​ssh_host_ed25519_key ​
 + -t ed25519 \  # -t <​type> ​ Key type 
 + -N '' ​\  # -N '' ​  New (blank) passphrase 
 + -o \     # -o      bcrypt key derivation function, implied with ED25519 
 + -a 100   # -a <#> ​ Number of rounds for bcrypt key derivation 
 +## RSA: Min:1024, Recommended/​Default:​2048,​ Max:16384 
 +$> ssh-keygen -f /​etc/​ssh/​ssh_host_rsa_key ​
 + -t rsa \   # -t <​type> ​ Key type 
 + -b 4096 \  # -b <​bits> ​ Number of bits in the key 
 + -N ''​ \    # -N '' ​  New (blank) passphrase 
 + -o \       # -o      bcrypt key derivation function, implied with ED25519 
 + -a 100     # -a <#> ​ Number of rounds for bcrypt key derivation 
 + 
 +## PKCS#8 SSH Private Keys 
 +# Convert: Convert a private SSH key into PKCS#8 format 
 +$> mv ~/​.ssh/​id_rsa ~/​.ssh/​id_rsa.old 
 +$> openssl pkcs8 -topk8 -v2 des3 \ 
 + -in ~/​.ssh/​id_rsa.old \ 
 + -out ~/​.ssh/​id_rsa 
 +$> chmod 600 ~/​.ssh/​id_rsa 
 +# Check that the converted key works; if yes, delete the old one 
 +$> rm ~/​.ssh/​id_rsa.old 
 +
 +# Revert: Convert a PKCS#8 key back into a private SSH key 
 +$> mv ~/​.ssh/​id_rsa ~/​.ssh/​id_rsa.pkcs8 
 +# Decrypt the key with openssl 
 +$> openssl pkcs8 \ 
 + -in ~/​.ssh/​id_rsa.pkcs8 \ 
 + -out ~/​.ssh/​id_rsa 
 +$> chmod 600 ~/​.ssh/​id_rsa 
 +# Re-encrypt the key using the traditional SSH key format 
 +$> ssh-keygen -f ~/​.ssh/​id_rsa -p
 </​code>​ </​code>​
  
user/nbrimme1/portfolio/openssh.1528584277.txt.gz · Last modified: 2018/06/09 18:44 by nbrimme1