Today I decided to harden my SSH server configuration and did the one thing you should never do: I logged out before testing the new configuration and promptly locked myself. Don't be like me.
Here's what I wanted to do: Positron Security's SSH Configuration Auditor gave me a B+ grade and there were some suggestions. I had already implemented some of them because a long time ago I had followed a different SSH hardening guide.
a different SSH hardening guide
The thing that broke my setup is that the new hardening guide specified the following:
RequiredRSASize 3072
The effect was that I could no longer log in:
alex@alexschroeder.ch: Permission denied (publickey).
That's because I have passwords disabled. You can only get in via public key. And my public key wasn't good enough: it has 2048 bits:
ssh-keygen -lf .ssh/id_rsa 2048 SHA256:************/****************************** alex@Megabombus.local (RSA)
So what I had to do:
That meant commenting these two in `/etc/ssh/sshd_config`:
PermitRootLogin prohibit-password PasswordAuthentication no
Restarted `sshd` on the server:
systemctl restart sshd
I already had an `ed25519` identity:
ls .ssh/id* .ssh/id_ed25519 .ssh/id_ed25519.pub .ssh/id_rsa .ssh/id_rsa.pub
I probably created them using the following:
ssh-keygen -t ed25519
I used `ssh-copy` to copy them to the server:
ssh-copy-id -i .ssh/id_ed25519 sibirocobombus
And I added the correct setting to my `.ssh/config`:
Host sibirocobombus HostName alexschroeder.ch Port 882 User alex IdentityFile ~/.ssh/id_ed25519
I use the `ssh` config file all the time!
This allowed me to uncomment these two in `/etc/ssh/sshd_config` again:
PermitRootLogin prohibit-password PasswordAuthentication no
I restarted `sshd` on the server:
systemctl restart sshd
Note to self: Should I ever need to check the server fingerprints, see ssh.
My `git` server needed the same public key in `/home/git/.ssh/authorized_keys`.
#Administration