bdisk/docs/manual/user/advanced/SSH.adoc

=== SSH Pubkey Authentication
To start with, you'll want to secure SSH a little more than normal.

I highly recommend https://stribika.github.io/2015/01/04/secure-secure-shell.html[this article^], which we'll be following in this process.

First, create a file: `<basedir>/overlay/etc/ssh/sshd_config` using the following. Comments and blank lines have been stripped out for brevity.

 PermitRootLogin prohibit-password
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
 AuthorizedKeysFile	.ssh/authorized_keys
 PasswordAuthentication no
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 UsePAM yes
 PrintMotd no # pam does that
 Subsystem	sftp	/usr/lib/ssh/sftp-server
 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

We'll also want to implement a more secure `ssh_config` file to avoid possible leaks. The following is `<basedir>/overlay/etc/ssh/ssh_config`:

 Host *
     KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
     PasswordAuthentication no
     ChallengeResponseAuthentication no
     PubkeyAuthentication yes
     HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
     Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
     MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

We'll want to create our own moduli. This can take a long time, but only needs to be done once -- it doesn't need to be done for every build. The following commands should be run in `<basedir>/overlay/etc/ssh/`:

 ssh-keygen -G moduli.all -b 4096
 ssh-keygen -T moduli.safe -f moduli.all
 mv moduli.safe moduli
 rm moduli.all

Then we generate hostkeys. This isn't strictly necessary as the live media will create them automatically when starting SSH if they're missing, but this does provide some verification that the host you're SSHing to is, in fact, running the BDisk instance that you yourself built. The following commands should be run in `<basedir>/overlay/etc/ssh/`:

 ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
 ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N "" < /dev/null

Make sure you have keys on your host workstation generated so you can SSH into BDisk. If you don't have any ED25519 or RSA SSH keys, this will create them for you. The following should be run as the host (build machine, or what have you) user you want to be able to SSH into BDisk as:

 ssh-keygen -t ed25519 -o -a 100
 ssh-keygen -t rsa -b 4096 -o -a 100

The defaults are fine. Adding a password to your private key is not necessary, but recommended (though note that doing so will inhibit automated SSHing). You should now have in `~/.ssh/` the following files (assuming you kept the defaults above):

 id_ed25519
 id_ed25519.pub
 id_rsa
 id_rsa.pub

WARNING: The files ending in *.pub* are _public_ -- they can be published anywhere. However, the ones that are not appended with *.pub* are your _private keys_ and should not be shared with anyone, whether they're password-protected or not!

Now you'll want to get the public key of your SSH keys so you can add them to your BDisk build. The following commands should be run in `<basedir>/overlay/`:

 mkdir -p root/.ssh
 chmod 700 root/.ssh
 touch root/.ssh/authorized_keys
 chmod 600 root/.ssh/authorized_keys
 cat ~/.ssh/id_{ed25519,rsa}.pub > root/.ssh/authorized_keys

If you decided to <<code_user_code,enable a regular non-root user>> in your build, you'll want to perform the same steps above for the regular user as well (or forego the above and just enable SSH for the user you create). Remember to replace `root/` with `home/<<_code_username_code,<username>>>/`!

Lastly, we need to enable SSH to start on boot. Run the following command in `<basedir>/overlay/etc/systemd/system/multi-user.target.wants/`:

 ln -s /usr/lib/systemd/system/sshd.service sshd.service

You should now have SSH automatically start once the instance boots.
more documentation... 2016-12-27 15:25:56 -05:00			`=== SSH Pubkey Authentication`
			`To start with, you'll want to secure SSH a little more than normal.`

			`I highly recommend https://stribika.github.io/2015/01/04/secure-secure-shell.html[this article^], which we'll be following in this process.`

			First, create a file: `<basedir>/overlay/etc/ssh/sshd_config` using the following. Comments and blank lines have been stripped out for brevity.

			`PermitRootLogin prohibit-password`
			`HostKey /etc/ssh/ssh_host_ed25519_key`
			`HostKey /etc/ssh/ssh_host_rsa_key`
			`AuthorizedKeysFile .ssh/authorized_keys`
			`PasswordAuthentication no`
			`PermitEmptyPasswords no`
			`ChallengeResponseAuthentication no`
			`UsePAM yes`
			`PrintMotd no # pam does that`
			`Subsystem sftp /usr/lib/ssh/sftp-server`
			`KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256`
			`Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr`
			`MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com`

			We'll also want to implement a more secure `ssh_config` file to avoid possible leaks. The following is `<basedir>/overlay/etc/ssh/ssh_config`:

			`Host *`
			`KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256`
			`PasswordAuthentication no`
			`ChallengeResponseAuthentication no`
			`PubkeyAuthentication yes`
			`HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa`
			`Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr`
			`MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com`

			We'll want to create our own moduli. This can take a long time, but only needs to be done once -- it doesn't need to be done for every build. The following commands should be run in `<basedir>/overlay/etc/ssh/`:

			`ssh-keygen -G moduli.all -b 4096`
			`ssh-keygen -T moduli.safe -f moduli.all`
			`mv moduli.safe moduli`
			`rm moduli.all`

			Then we generate hostkeys. This isn't strictly necessary as the live media will create them automatically when starting SSH if they're missing, but this does provide some verification that the host you're SSHing to is, in fact, running the BDisk instance that you yourself built. The following commands should be run in `<basedir>/overlay/etc/ssh/`:

documentation check-in... 2016-12-30 00:09:24 -05:00			`ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null`
			`ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N "" < /dev/null`
more documentation... 2016-12-27 15:25:56 -05:00
			`Make sure you have keys on your host workstation generated so you can SSH into BDisk. If you don't have any ED25519 or RSA SSH keys, this will create them for you. The following should be run as the host (build machine, or what have you) user you want to be able to SSH into BDisk as:`

			`ssh-keygen -t ed25519 -o -a 100`
			`ssh-keygen -t rsa -b 4096 -o -a 100`

			The defaults are fine. Adding a password to your private key is not necessary, but recommended (though note that doing so will inhibit automated SSHing). You should now have in `~/.ssh/` the following files (assuming you kept the defaults above):

			`id_ed25519`
			`id_ed25519.pub`
			`id_rsa`
			`id_rsa.pub`

			`WARNING: The files ending in .pub are _public_ -- they can be published anywhere. However, the ones that are not appended with .pub are your _private keys_ and should not be shared with anyone, whether they're password-protected or not!`

			Now you'll want to get the public key of your SSH keys so you can add them to your BDisk build. The following commands should be run in `<basedir>/overlay/`:

			`mkdir -p root/.ssh`
			`chmod 700 root/.ssh`
			`touch root/.ssh/authorized_keys`
			`chmod 600 root/.ssh/authorized_keys`
			`cat ~/.ssh/id_{ed25519,rsa}.pub > root/.ssh/authorized_keys`

			If you decided to <<code_user_code,enable a regular non-root user>> in your build, you'll want to perform the same steps above for the regular user as well (or forego the above and just enable SSH for the user you create). Remember to replace `root/` with `home/<<_code_username_code,<username>>>/`!

			Lastly, we need to enable SSH to start on boot. Run the following command in `<basedir>/overlay/etc/systemd/system/multi-user.target.wants/`:

			`ln -s /usr/lib/systemd/system/sshd.service sshd.service`

			`You should now have SSH automatically start once the instance boots.`