USE CAUTION LEGAL DISCLAIMER:

The information provided in this technical website tutorial is for general informational purposes only. It is not intended to be a substitute for professional advice and should not be relied upon as such.

The tutorial is provided "as is" without any representations or warranties, express or implied. The owner and authors of this tutorial make no representations or warranties in relation to the accuracy, completeness, suitability, or availability of the information contained within.

Any reliance you place on such information is strictly at your own risk. In no event will the owner or authors of this tutorial be liable for any loss or damage including, without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this tutorial.

The owner and authors of this tutorial do not endorse or assume any liability for any third-party products or services discussed or referenced within this tutorial.

The information provided in this tutorial may be outdated, inaccurate, or incomplete. It is your responsibility to verify any information before relying on it.

The content of this tutorial may change without notice and is not guaranteed to be error-free.

By using this tutorial, you agree to hold harmless and indemnify the owner and authors of this tutorial from any claims, damages, liabilities, or expenses arising out of or in connection with your use of this tutorial.

Please use caution and your own judgment when implementing any advice or recommendations from this tutorial.

If you do not agree with these terms, please do not use this tutorial.

"New SSH Server" lockdown

It is not wise, however some servers must keep passwords for legacy purposes. So beware...

Disable SSH password authentication on the servers you ((own)) after verifing everything is working. In the /etc/ssh/sshd_config file two most important lines should read as follows:

PubkeyAuthentication yes
# and
PasswordAuthentication no

ADMIN USER to Lock Down "NEW Servers" (OPTIONAL)

Advanced/Expert Administrator Users, that understand the risks: may do the next (optional) step which is intended for the Senior SERVER ADMIN; so if you are the admin responsible for the server and ((own)) it, then and ONLY then proceed, but do so with extreme caution.

**This next step should only be done on a server that has just been CREATED "brand new" as these changes will break things and lock people out for sure!!! So please SKIP this Step if not sure, or if you are not the person responsible for the server, etc...**

ssh user@IP_of_Your_Server

# This step is Optional and should ONLY be
# done by a Senior SERVER ADMIN that understands every change here...!
# Become ROOT user
$ sudo -i

# Create an ssh-users group. SSH logins will be restricted,
#	 to members of this group.
$ groupadd --system ssh-users

# For each user that should be able to SSH into the system, 
# 	add that user to the ssh-users group.
$ usermod -a -G ssh-users [username]


# Remove small Diffie-Hellman moduli:
$ awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
$ mv /etc/ssh/moduli.safe /etc/ssh/moduli

# If this is a brand new server, lets resetup the default,
# RSA to be 4096 bits instead of 3072 bits. BE SURE its a NEW SERVER, as
# old clients WILL think the new key was an Attack "Man-in-middle"....
$ ssh-keygen -t rsa -b 4096 -o -a 100 -N '' -f /etc/ssh/new_ssh_host_rsa_key
# Likewise for Ed25519 Elliptic Curve... only do this if on a NEW SERVER
$ ssh-keygen -t ed25519 -o -a 100 -N '' -f /etc/ssh/new_ssh_host_ed25519_key

# Warning: You & and EVERYONE who needs to connect,
#	must update the known_hosts file,
# IF you changed KEYS in the previous step! Note: 22 is the default ssh port
# So all people who wish to re-connect, must use the following command:
# ssh-keygen -f "/home/$USER/.ssh/known_hosts" -R "[SERVER DOMAIN/HOSTNAME/IP]:22"

$ mv /etc/ssh/sshd_config /etc/ssh/sshd_config_ORIGINAL_$(date +"%Y-%m-%d-%H_%M_%S")
	
$ nano /etc/ssh/sshd_config
# ``` Begin Copy
# Change port to be 2022 or whatever, make sure you setup a firewall rule for it
Port 22
#AddressFamily inet
#ListenAddress
Protocol 2

# If using NEW KEYS!:
HostKey /etc/ssh/new_ssh_host_ed25519_key
HostKey /etc/ssh/new_ssh_host_rsa_key

# if using OLD KEYS, uncomment these
#HostKey /etc/ssh/ssh_host_ed25519_key
#HostKey /etc/ssh/ssh_host_rsa_key

HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
PubkeyAcceptedKeyTypes sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

AuthorizedKeysFile %h/.ssh/authorized_keys

PermitRootLogin no
# prohibit-password

# Make sure you have group members in ssh-user otherwise, everyone is locked out!!
AllowGroups ssh-users

SyslogFacility AUTHPRIV

# SSH session will be dropped if no activity is registered after 300 seconds.
ClientAliveInterval 300

PubkeyAuthentication yes

ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no

MaxAuthTries 3
LoginGraceTime 20

HostbasedAuthentication no
IgnoreRhosts yes

# DebianBanner no - should be set on Ubuntu and Debian servers only
DebianBanner no
# Note you should create a Welcome to system /etc/ssh/banner.txt file and 
# uncomment the next line with: Banner /etc/ssh/banner.txt
#Banner /etc/ssh/banner.txt

# UsePrivilegeSeparation sandbox - if supported!
UsePrivilegeSeparation sandbox
AllowAgentForwarding no
AllowTcpForwarding no
AllowStreamLocalForwarding no
PermitOpen none
PermitTunnel no
GatewayPorts no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost no
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
UseLogin no
PermitUserEnvironment no
UsePAM no # Sometimes you may want this to be yes, depends on plugins you may have

# Allow SFTP? If not comment this Subsystem sftp line out
# override default of no subsystems
Subsystem sftp /bin/sh -c 'umask 0002; /usr/lib/openssh/sftp-server'
#Subsystem sftp  /usr/lib/openssh/sftp-server

#Match User git
#    AllowGroups *

# ``` End Copy
=======================Save and Exit (ctrl+x)
# Check for deprecated options, and proceed to test your configuration syntax:
$ sudo sshd -T

$ sudo systemctl restart sshd.service
# Do not disconnect yet! Type exit to exit when done, but not yet!

Verify your still able to connect

Check and Verify from another terminal window that you can connect using just the Public Key file, if it works then you may disconnect. To do that unplug your Yubikey and attempt to connect it should fail: Permission denied (publickey). Now connect the Yubikey and try again, it should prompt for your user PIN# and light up to be touched, touch it. It should connect now.