SSH Configuration

ROLE first

As part of the initial setup of any machine, we lock down access via SSH, harden it by disabling some weak algorithms, and set up a deploy user with sudo access that is used instead of root for administration tasks.

SSH is configured so that all remote access requires a key. Password-based login is only allowed from the console. When multiple people need administrative access to your machines, I recommend authorizing separate public keys for each person rather than sharing one private key. With Ansible, you can easily maintain a list of authorized keys on all of your machines.

Whether to have a separate deploy account or just use root for everything is a personal preference. Having a separate step to elevate permissions may avoid some accidents, and if a private key is compromised, an attacker still needs the deploy password to sudo. Raspberian follows this pattern with the pi account. On Pi's, we remove the pi account after creating the deploy one.

We also do some hardening of the SSH server by disabling weak protocols. Since encryption is a constantly changing battlefield, I recommend getting a "yearly Flu shot" by occasionally scanning the server with tools like ssh-audit or Lynis as discussed in the encryption configuration.

SSH Keys

These playbooks expect a SSH keys for the deploy account, the Bacula tunnel, and the www account for website content. The tunnel key should not have a passphrase because it will be used by scripts, but it is your choice whether to use one for the deploy and www account keys.

I recommend using modern Ed25519 keys unless you need to support really old SSH clients.

$ ssh-keygen -t ed25519 -f deploy -C deploy-yourhost -N ''
$ ssh-keygen -t ed25519 -f bacula -C bacula-tunnel-yourhost -N ''
$ ssh-keygen -t ed25519 -f www -C www-yourhost -N ''

The public key needs to be in openssh form. If you happen to use putty to generate a key, you can convert it as follows. Install the putty-utils package and do:

$ puttygen deploy.ppk -O public-openssh -o deploy.pub
$ puttygen deploy.ppk -O private-openssh -o deploy

Other Notes

If you happen to change host keys, like when rebuilding a machine, SSH freaks out with ominous messages about man in the middle attacks. You can selectively make ssh forget the key for the name and IP using commands like below.

$ ssh-keygen -f "/home/foo/.ssh/known_hosts" -R "example.com"
$ ssh-keygen -f "/home/foo/.ssh/known_hosts" -R "11.22.33.44"
Model M
When equipped with a Model M keyboard, using a public key avoids broadcasting your password length to everyone within 300 yards.