Table of Contents

Other Project:

A project for COURSENAME by YOUR NAME OR GROUPMEMBER NAMES during the SEMESTER YEAR.

This project was begun on DATE and is anticipated to take X AMOUNT OF TIME. (Upon completion you can correct this with the actual length).

Objectives

State the purpose of this project. What is the point of this project? What do we hope to accomplish by undertaking it?

Go from this (old and busted default sshd): SSH-Before

To this (new hotness super secure sshd): SSH-After

Help Matt with Lab46's sshd: SSH-Lab46

Prerequisites

In order to successfully accomplish/perform this project, the listed resources/experiences need to be consulted/achieved:

Background

State the idea or purpose of the project. What are you attempting to pursue?

Upon approval, you'll want to fill this section out with more detailed background information. DO NOT JUST PROVIDE A LINK.

Providing any links to original source material, such as from a project page, is a good idea.

You'll want to give a general overview of what is going to be accomplished (for example, if your project is about installing a web server, do a little write-up on web servers. What is it, why do we need one, how does it work, etc.)

Scope

Give a general overview of your anticipated implementation of the project. Address any areas where you are making upfront assumptions or curtailing potential detail. State the focus you will be taking in implementation.

Attributes

State and justify the attributes you'd like to receive upon successful approval and completion of this project.

Procedure

The actual steps taken to accomplish the project. Include images, code snippets, command-line excerpts; whatever is useful for intuitively communicating important information for accomplishing the project.

Code

Key Generation

## -C "Comment", not needed for host keys
## -p  Request to change passphrase
## -f <filename>  Output filename of key file
 
## DSA: **NO LONGER ALLOWED; OpenSSH >=7.0
$> ssh-keygen -f /etc/ssh/ssh_host_dsa_key \
	-t dsa \  # -t <type>  Key type
	-N ''     # -N ''      New (blank) passphrase
## ECDSA: *OpenSSH >=5.7
$> ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key \
	-t ecdsa \  # -t <type>  Key type
	-N ''       # -N ''      New (blank) passphrase
## ED25519: All keys 256-bit , *OpenSSH >=6.5
$> ssh-keygen -f /etc/ssh/ssh_host_ed25519_key \
	-t ed25519 \  # -t <type>  Key type
	-N '' \  # -N ''   New (blank) passphrase
	-o \     # -o      bcrypt key derivation function, implied with ED25519
	-a 100   # -a <#>  Number of rounds for bcrypt key derivation
## RSA: Min:1024, Recommended/Default:2048, Max:16384
$> ssh-keygen -f /etc/ssh/ssh_host_rsa_key \
	-t rsa \   # -t <type>  Key type
	-b 4096 \  # -b <bits>  Number of bits in the key
	-N '' \    # -N ''   New (blank) passphrase
	-o \       # -o      bcrypt key derivation function, implied with ED25519
	-a 100     # -a <#>  Number of rounds for bcrypt key derivation
 
## PKCS#8 SSH Private Keys
# Convert: Convert a private SSH key into PKCS#8 format
$> mv ~/.ssh/id_rsa ~/.ssh/id_rsa.old
$> openssl pkcs8 -topk8 -v2 des3 \
	-in ~/.ssh/id_rsa.old \
	-out ~/.ssh/id_rsa
$> chmod 600 ~/.ssh/id_rsa
# Check that the converted key works; if yes, delete the old one
$> rm ~/.ssh/id_rsa.old
#
# Revert: Convert a PKCS#8 key back into a private SSH key
$> mv ~/.ssh/id_rsa ~/.ssh/id_rsa.pkcs8
# Decrypt the key with openssl
$> openssl pkcs8 \
	-in ~/.ssh/id_rsa.pkcs8 \
	-out ~/.ssh/id_rsa
$> chmod 600 ~/.ssh/id_rsa
# Re-encrypt the key using the traditional SSH key format
$> ssh-keygen -f ~/.ssh/id_rsa -p

Moduli Generation

## Create /etc/ssh/moduli if non-existent
# Generate moduli candidates
# -b is the length of the prime + 1 bit, (4096 -> 4095-bit)
# -M increase the memory used, 127(MiB) is the maximum.
$> ssh-keygen -G /etc/ssh/moduli.all -b 4096 -M 127
# Test the candidates
# -f specifies the file with the candidates.
# -a sets the number of tries for Miller-Rabin per candidate, 100 by default.
$> ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all -a 100
$> mv /etc/ssh/moduli.safe /etc/ssh/moduli
$> rm /etc/ssh/moduli.all
## Strengthen /etc/ssh/moduli by removing moduli that are < 2048-bits
$> awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli"
# check for empty file
$> wc -l "${HOME}/moduli"
$> mv "${HOME}/moduli" /etc/ssh/moduli

SSH Client Configuration

## file: /etc/ssh/ssh_config
HashKnownHosts yes
# https://www.github.com/ specific options
Host github.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512
# All other host options
Host *
ConnectTimeout 30
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
ServerAliveInterval 10
# Enables sharing multiple sessions over a single network connection.
ControlMaster auto
ControlPersist yes
# Location of a control socket for connection sharing.
ControlPath ~/.ssh/socket-%r@%h:%p

SSH Server Configuration

## File: /etc/ssh/sshd_config
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

Execution

Again, if there is associated code with the project, and you haven't already indicated how to run it, provide a sample run of your code:

lab46:~/src/cprog$ ./hello
Hello, World!
lab46:~/src/cprog$ 

Reflection

Comments/thoughts generated through performing the project, observations made, analysis rendered, conclusions wrought. What did you learn from doing this project?

References

In performing this project, the following resources were referenced:

Back to my Portfolio
Back to my Opus