Table of Contents
Other Project:
A project for COURSENAME by YOUR NAME OR GROUPMEMBER NAMES during the SEMESTER YEAR.
This project was begun on DATE and is anticipated to take X AMOUNT OF TIME. (Upon completion you can correct this with the actual length).
Objectives
State the purpose of this project. What is the point of this project? What do we hope to accomplish by undertaking it?
Go from this (old and busted default sshd):
Prerequisites
In order to successfully accomplish/perform this project, the listed resources/experiences need to be consulted/achieved:
- Your user files in ~/.ssh/
- Access rights to system files in /etc/ssh/
Background
State the idea or purpose of the project. What are you attempting to pursue?
Upon approval, you'll want to fill this section out with more detailed background information. DO NOT JUST PROVIDE A LINK.
Providing any links to original source material, such as from a project page, is a good idea.
You'll want to give a general overview of what is going to be accomplished (for example, if your project is about installing a web server, do a little write-up on web servers. What is it, why do we need one, how does it work, etc.)
Scope
Give a general overview of your anticipated implementation of the project. Address any areas where you are making upfront assumptions or curtailing potential detail. State the focus you will be taking in implementation.
Attributes
State and justify the attributes you'd like to receive upon successful approval and completion of this project.
- attribute1: why you feel your pursuit of this project will gain you this attribute
- attribute2: why you feel your pursuit of this project will gain you this attribute
- etc…
Procedure
The actual steps taken to accomplish the project. Include images, code snippets, command-line excerpts; whatever is useful for intuitively communicating important information for accomplishing the project.
Code
Key Generation
## -C "Comment", not needed for host keys ## -p Request to change passphrase ## -f <filename> Output filename of key file ## DSA: **NO LONGER ALLOWED; OpenSSH >=7.0 $> ssh-keygen -f /etc/ssh/ssh_host_dsa_key \ -t dsa \ # -t <type> Key type -N '' # -N '' New (blank) passphrase ## ECDSA: *OpenSSH >=5.7 $> ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key \ -t ecdsa \ # -t <type> Key type -N '' # -N '' New (blank) passphrase ## ED25519: All keys 256-bit , *OpenSSH >=6.5 $> ssh-keygen -f /etc/ssh/ssh_host_ed25519_key \ -t ed25519 \ # -t <type> Key type -N '' \ # -N '' New (blank) passphrase -o \ # -o bcrypt key derivation function, implied with ED25519 -a 100 # -a <#> Number of rounds for bcrypt key derivation ## RSA: Min:1024, Recommended/Default:2048, Max:16384 $> ssh-keygen -f /etc/ssh/ssh_host_rsa_key \ -t rsa \ # -t <type> Key type -b 4096 \ # -b <bits> Number of bits in the key -N '' \ # -N '' New (blank) passphrase -o \ # -o bcrypt key derivation function, implied with ED25519 -a 100 # -a <#> Number of rounds for bcrypt key derivation ## PKCS#8 SSH Private Keys # Convert: Convert a private SSH key into PKCS#8 format $> mv ~/.ssh/id_rsa ~/.ssh/id_rsa.old $> openssl pkcs8 -topk8 -v2 des3 \ -in ~/.ssh/id_rsa.old \ -out ~/.ssh/id_rsa $> chmod 600 ~/.ssh/id_rsa # Check that the converted key works; if yes, delete the old one $> rm ~/.ssh/id_rsa.old # # Revert: Convert a PKCS#8 key back into a private SSH key $> mv ~/.ssh/id_rsa ~/.ssh/id_rsa.pkcs8 # Decrypt the key with openssl $> openssl pkcs8 \ -in ~/.ssh/id_rsa.pkcs8 \ -out ~/.ssh/id_rsa $> chmod 600 ~/.ssh/id_rsa # Re-encrypt the key using the traditional SSH key format $> ssh-keygen -f ~/.ssh/id_rsa -p
Moduli Generation
## Create /etc/ssh/moduli if non-existent # Generate moduli candidates # -b is the length of the prime + 1 bit, (4096 -> 4095-bit) # -M increase the memory used, 127(MiB) is the maximum. $> ssh-keygen -G /etc/ssh/moduli.all -b 4096 -M 127 # Test the candidates # -f specifies the file with the candidates. # -a sets the number of tries for Miller-Rabin per candidate, 100 by default. $> ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all -a 100 $> mv /etc/ssh/moduli.safe /etc/ssh/moduli $> rm /etc/ssh/moduli.all ## Strengthen /etc/ssh/moduli by removing moduli that are < 2048-bits $> awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli" # check for empty file $> wc -l "${HOME}/moduli" $> mv "${HOME}/moduli" /etc/ssh/moduli
SSH Client Configuration
## file: /etc/ssh/ssh_config HashKnownHosts yes # https://www.github.com/ specific options Host github.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512 # All other host options Host * ConnectTimeout 30 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr ServerAliveInterval 10 # Enables sharing multiple sessions over a single network connection. ControlMaster auto ControlPersist yes # Location of a control socket for connection sharing. ControlPath ~/.ssh/socket-%r@%h:%p
SSH Server Configuration
## File: /etc/ssh/sshd_config Protocol 2 HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Execution
Again, if there is associated code with the project, and you haven't already indicated how to run it, provide a sample run of your code:
lab46:~/src/cprog$ ./hello Hello, World! lab46:~/src/cprog$
Reflection
Comments/thoughts generated through performing the project, observations made, analysis rendered, conclusions wrought. What did you learn from doing this project?
References
In performing this project, the following resources were referenced:
- Google: Of course Google was used, it knows everything. No particular page from Google was used, It was mainly used for information about the project (Linked Lists in general): http://www.google.com/; If ya don't know, now ya know, and knowing is half the battle.
- Wikipedia: Has a great article on Linked Lists; Tons of information, pretty pictures, and some code: http://en.wikipedia.org/wiki/Linked_list.