Ssh howto: Unterschied zwischen den Versionen

Aus xinux.net
Zur Navigation springen Zur Suche springen
Zeile 3: Zeile 3:
 
*[[ssh Clientseite]]
 
*[[ssh Clientseite]]
 
*[[ssh Serverseite]]
 
*[[ssh Serverseite]]
 
  
 
==Serverseite==
 
==Serverseite==
Zeile 43: Zeile 42:
 
  root@alita:/etc/ssh# ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -l
 
  root@alita:/etc/ssh# ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -l
 
  2048 8c:d1:1f:d2:5e:76:cd:75:74:c4:b7:b2:c7:f6:50:78 /etc/ssh/ssh_host_rsa_key.pub (RSA)
 
  2048 8c:d1:1f:d2:5e:76:cd:75:74:c4:b7:b2:c7:f6:50:78 /etc/ssh/ssh_host_rsa_key.pub (RSA)
*[[ssh Tunnel]]
 
 
=vpn-pppd ssh Tunnelscript=
 
 
ssh nagus
 
cat /usr/local/sbin/vpn-pppd
 
 
=enable diffie-hellman-group1-sha1 key exchange=
 
mit dem direkten befehl:
 
 
*ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 123.123.123.123
 
 
dauerhaft eintragen:
 
 
* /etc/ssh/ssh_config
 
<pre>
 
Host 123.123.123.123
 
    KexAlgorithms +diffie-hellman-group1-sha1
 
</pre>
 
=check der laufenden Konfig mit den Standardwerten=
 
*sshd -T
 
 
=check Algorithmen=
 
*sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
 
<pre>
 
ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
 
</pre>
 
<pre>
 
macs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
 
</pre>
 
<pre>
 
kexalgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
 
</pre>
 
;Bei Sicherheitsproblemen diese in die /etc/ssh/sshd_config kopieren und die unsicheren entfernen.
 
 
=Quellen=
 
*https://hitech-blog.com/wp-content/2010/08/ssh_marco_costa.pdf
 

Version vom 9. August 2021, 18:26 Uhr

Serverseite

SSH Server installieren

root@alita:~# apt-get install openssh-server
...

Konfigurationsdatei

/etc/ssh/sshd_config 

# What ports, IPs and protocols we listen for
Port 22   
                            
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::                                                           
#ListenAddress 0.0.0.0                                                      
Protocol 2                                                                  
# HostKeys for protocol version 2                                           
HostKey /etc/ssh/ssh_host_rsa_key                                           
HostKey /etc/ssh/ssh_host_dsa_key                                           
#Privilege Separation is turned on for security                             
UsePrivilegeSeparation yes                                                  

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600                         
ServerKeyBits 768                                    
...

Zusätzlichen Port zum Lauschen auf Anfragen hinzufügen

/etc/ssh/sshd_config 

# What ports, IPs and protocols we listen for
Port 22   
Port 9998                             
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::                                                           
#ListenAddress 0.0.0.0

RSA Key Fingerprint anzeigen

root@alita:/etc/ssh# ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -l
2048 8c:d1:1f:d2:5e:76:cd:75:74:c4:b7:b2:c7:f6:50:78 /etc/ssh/ssh_host_rsa_key.pub (RSA)
Abgerufen von „https://xinux.net/index.php?title=Ssh_howto&oldid=27145