head.daveops.net

Snippets for yer computer needs

SSH

Generating a new key

# Generate a new RSA keypair
ssh-keygen -t rsa -b 4096 -C "<username> generated <date>" -f id_rsa
# Generate a new ed25519 keypair
ssh-keygen -t ed25519 -C "<username> generated <date>"

Getting key fingerprint

ssh-keygen -lf .ssh/id_rsa.pub

Security notes

General

Client

Server

IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no

# Don't use tunneled cleartext passwords
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no

# Disable root user login
PermitRootLogin no

UsePam yes

# Disable X11 forwarding
X11Forwarding no
# Disable TCP forwarding (unless you *actually* need it)
AllowTcpForwarding no

# Lock down to specific group of users 
AllowGroup ssh_users

HostbasedAuthentication no
PermitUserEnvironment no
StrictModes yes
UsePrivilegeSeparation yes