bdisk/docs/manual/user/advanced/SSH.adoc

4.4 KiB
Raw Blame History

SSH Pubkey Authentication

To start with, youll want to secure SSH a little more than normal.

I highly recommend this article, which well be following in this process.

First, create a file: <basedir>/overlay/etc/ssh/sshd_config using the following. Comments and blank lines have been stripped out for brevity.

PermitRootLogin prohibit-password
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
AuthorizedKeysFile	.ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
PrintMotd no # pam does that
Subsystem	sftp	/usr/lib/ssh/sftp-server
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

Well also want to implement a more secure ssh_config file to avoid possible leaks. The following is <basedir>/overlay/etc/ssh/ssh_config:

Host *
    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    PubkeyAuthentication yes
    HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

Well want to create our own moduli. This can take a long time, but only needs to be done onceit doesnt need to be done for every build. The following commands should be run in <basedir>/overlay/etc/ssh/:

ssh-keygen -G moduli.all -b 4096
ssh-keygen -T moduli.safe -f moduli.all
mv moduli.safe moduli
rm moduli.all

Then we generate hostkeys. This isnt strictly necessary as the live media will create them automatically when starting SSH if theyre missing, but this does provide some verification that the host youre SSHing to is, in fact, running the BDisk instance that you yourself built. The following commands should be run in <basedir>/overlay/etc/ssh/:

ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N "" < /dev/null

Make sure you have keys on your host workstation generated so you can SSH into BDisk. If you dont have any ED25519 or RSA SSH keys, this will create them for you. The following should be run as the host (build machine, or what have you) user you want to be able to SSH into BDisk as:

ssh-keygen -t ed25519 -o -a 100
ssh-keygen -t rsa -b 4096 -o -a 100

The defaults are fine. Adding a password to your private key is not necessary, but recommended (though note that doing so will inhibit automated SSHing). You should now have in ~/.ssh/ the following files (assuming you kept the defaults above):

id_ed25519
id_ed25519.pub
id_rsa
id_rsa.pub
Warning
The files ending in .pub are publicthey can be published anywhere. However, the ones that are not appended with .pub are your private keys and should not be shared with anyone, whether theyre password-protected or not!

Now youll want to get the public key of your SSH keys so you can add them to your BDisk build. The following commands should be run in <basedir>/overlay/:

mkdir -p root/.ssh
chmod 700 root/.ssh
touch root/.ssh/authorized_keys
chmod 600 root/.ssh/authorized_keys
cat ~/.ssh/id_{ed25519,rsa}.pub > root/.ssh/authorized_keys

If you decided to enable a regular non-root user in your build, youll want to perform the same steps above for the regular user as well (or forego the above and just enable SSH for the user you create). Remember to replace root/ with home/<username>/!

Lastly, we need to enable SSH to start on boot. Run the following command in <basedir>/overlay/etc/systemd/system/multi-user.target.wants/:

ln -s /usr/lib/systemd/system/sshd.service sshd.service

You should now have SSH automatically start once the instance boots.