A project for COURSENAME by YOUR NAME OR GROUPMEMBER NAMES during the SEMESTER YEAR.

This project was begun on DATE and is anticipated to take X AMOUNT OF TIME. (Upon completion you can correct this with the actual length).

State the purpose of this project. What is the point of this project? What do we hope to accomplish by undertaking it?

Go from this (old and busted default sshd):

To this (new hotness super secure sshd):

Help Matt with Lab46's sshd:

In order to successfully accomplish/perform this project, the listed resources/experiences need to be consulted/achieved:

• Your user files in ~/.ssh/
• Access rights to system files in /etc/ssh/
• ssh-audit

State the idea or purpose of the project. What are you attempting to pursue?

Upon approval, you'll want to fill this section out with more detailed background information. DO NOT JUST PROVIDE A LINK.

Providing any links to original source material, such as from a project page, is a good idea.

You'll want to give a general overview of what is going to be accomplished (for example, if your project is about installing a web server, do a little write-up on web servers. What is it, why do we need one, how does it work, etc.)

Give a general overview of your anticipated implementation of the project. Address any areas where you are making upfront assumptions or curtailing potential detail. State the focus you will be taking in implementation.

State and justify the attributes you'd like to receive upon successful approval and completion of this project.

• attribute1: why you feel your pursuit of this project will gain you this attribute
• attribute2: why you feel your pursuit of this project will gain you this attribute
• etc…

The actual steps taken to accomplish the project. Include images, code snippets, command-line excerpts; whatever is useful for intuitively communicating important information for accomplishing the project.

## -C "Comment", not needed for host keys
## -p  Request to change passphrase
## -f <filename>  Output filename of key file
 
## DSA: **NO LONGER ALLOWED; OpenSSH >=7.0
$> ssh-keygen -f /etc/ssh/ssh_host_dsa_key \
	-t dsa \  # -t <type>  Key type
	-N ''     # -N ''      New (blank) passphrase
## ECDSA: *OpenSSH >=5.7
$> ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key \
	-t ecdsa \  # -t <type>  Key type
	-N ''       # -N ''      New (blank) passphrase
## ED25519: All keys 256-bit , *OpenSSH >=6.5
$> ssh-keygen -f /etc/ssh/ssh_host_ed25519_key \
	-t ed25519 \  # -t <type>  Key type
	-N '' \  # -N ''   New (blank) passphrase
	-o \     # -o      bcrypt key derivation function, implied with ED25519
	-a 100   # -a <#>  Number of rounds for bcrypt key derivation
## RSA: Min:1024, Recommended/Default:2048, Max:16384
$> ssh-keygen -f /etc/ssh/ssh_host_rsa_key \
	-t rsa \   # -t <type>  Key type
	-b 4096 \  # -b <bits>  Number of bits in the key
	-N '' \    # -N ''   New (blank) passphrase
	-o \       # -o      bcrypt key derivation function, implied with ED25519
	-a 100     # -a <#>  Number of rounds for bcrypt key derivation
 
## PKCS#8 SSH Private Keys
# Convert: Convert a private SSH key into PKCS#8 format
$> mv ~/.ssh/id_rsa ~/.ssh/id_rsa.old
$> openssl pkcs8 -topk8 -v2 des3 \
	-in ~/.ssh/id_rsa.old \
	-out ~/.ssh/id_rsa
$> chmod 600 ~/.ssh/id_rsa
# Check that the converted key works; if yes, delete the old one
$> rm ~/.ssh/id_rsa.old
#
# Revert: Convert a PKCS#8 key back into a private SSH key
$> mv ~/.ssh/id_rsa ~/.ssh/id_rsa.pkcs8
# Decrypt the key with openssl
$> openssl pkcs8 \
	-in ~/.ssh/id_rsa.pkcs8 \
	-out ~/.ssh/id_rsa
$> chmod 600 ~/.ssh/id_rsa
# Re-encrypt the key using the traditional SSH key format
$> ssh-keygen -f ~/.ssh/id_rsa -p

## Create /etc/ssh/moduli if non-existent
# Generate moduli candidates
# -b is the length of the prime + 1 bit, (4096 -> 4095-bit)
# -M increase the memory used, 127(MiB) is the maximum.
$> ssh-keygen -G /etc/ssh/moduli.all -b 4096 -M 127
# Test the candidates
# -f specifies the file with the candidates.
# -a sets the number of tries for Miller-Rabin per candidate, 100 by default.
$> ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all -a 100
$> mv /etc/ssh/moduli.safe /etc/ssh/moduli
$> rm /etc/ssh/moduli.all
## Strengthen /etc/ssh/moduli by removing moduli that are < 2048-bits
$> awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli"
# check for empty file
$> wc -l "${HOME}/moduli"
$> mv "${HOME}/moduli" /etc/ssh/moduli

## file: /etc/ssh/ssh_config
HashKnownHosts yes
# https://www.github.com/ specific options
Host github.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512
# All other host options
Host *
ConnectTimeout 30
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
ServerAliveInterval 10
# Enables sharing multiple sessions over a single network connection.
ControlMaster auto
ControlPersist yes
# Location of a control socket for connection sharing.
ControlPath ~/.ssh/socket-%r@%h:%p

## File: /etc/ssh/sshd_config
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

Again, if there is associated code with the project, and you haven't already indicated how to run it, provide a sample run of your code:

lab46:~/src/cprog$ ./hello
Hello, World!
lab46:~/src/cprog$ 

Comments/thoughts generated through performing the project, observations made, analysis rendered, conclusions wrought. What did you learn from doing this project?

In performing this project, the following resources were referenced:

• Google: Of course Google was used, it knows everything. No particular page from Google was used, It was mainly used for information about the project (Linked Lists in general): http://www.google.com/; If ya don't know, now ya know, and knowing is half the battle.

• Wikipedia: Has a great article on Linked Lists; Tons of information, pretty pictures, and some code: http://en.wikipedia.org/wiki/Linked_list.

Back to my Portfolio
Back to my Opus