SSH is an extremely useful tool worth an entire page on various ways to use it.
- Always disable password authentication and use SSH Keys instead
- Ensure your SSH server config is modified to be secure (See
- Disable login as root (which requires adding a user to login as)
- Disable bad ciphers/etc.
- Disable all logins via password
- Disable features which will not be used
- For cloud it’s best to create a single host which is public which all internal hosts only accept SSH connections coming from that host
- SSH Supports “Jumping” via a host to another avoiding the need to copy keys, forward agents, and etc.
- You will still want to harden the server via iptables against attack
- You may prefer no public SSH connections and to simply use web consoles (AWS, Digital Ocean, Fly.io, etc.) to reconfigure a VPN like Wireguard if it ever goes down.
macOS Secure Enclave Link to heading
On iOS and mac devices with secure enclave you can generate keys which never leave that device. This is a useful security feature in case that device is stolen or falls out of use.
When adding ssh keys somewhere its good then to add several for various devices and thats pretty easy to get from GitHub which you’ve likely already added keys for. Just visit your profile link with
.keys at the end of the url. You can technically do this for anyone’s profile on github.
For generating and using the keys I’ve long used sekey, but it hasn’t gotten the attention I’ve hoped. I’ve switched to secretive which is written in Swift and has more regular attention.
Notice: The creator of yubikey-agent, FiloSottile, notes on the repo that YubiKeys have a better security history than the Secure Enclave has and may be more secure
SSH Reverse Tunneling Trick Link to heading
This trick will let you SSH in to a server and then
scp files back to your local machine interactively without needing to make your local machine directly accessible via the internet or anything.
This requires either the key on the server or some key in your agent to be authorized to connect to your local computer. I will just assume you want to reuse the key you’re already using to connect to the server.
- Add the key you’re using to your server’s
$HOME/.ssh/authorized_keysand also to your local
- Ensure your key is added to your agent:
- SSH with a reverse tunnel:
SSH -A -R 8022:localhost:22 example.com
- This will create a tunnel to your local device’s port 22 which the remote host can connect to over 8022.
- This also passes your agent to the remote host so it has access to your keys
- Do not do this with someone’s random server. Only on servers you trust. This lets them use your keys.
- On the remote host you can now run
scp -P 8022 /path/to/file/remotely.tar.gz chris@localhost:/tmp/
- The 8022 is local to the server. So we tell it the “host” is localhost, but use port 8022 which goes back to our local machine
- The user is probably different so you need to tell it to use your actual user and where to put the files as usual with
Certificates Link to heading
OpenSSH supports creating SSH Keys which sign each other and provide access based on that signing.
All the keys are simply SSH Keys. I recommend keeping the Key signing your other keys to be inside of some secure enclave like a YubiKey or AWS KMS.
- Good video explaining SSH Certificates and why to use them: “Zero Trust SSH” - Jeremy Scott (LCA 2020) [YouTube]