"New SSH Server" lockdown
It is not wise, however some servers must keep passwords for legacy purposes. So beware...
Disable SSH password authentication on the servers you ((own)) after verifing everything is working. In the /etc/ssh/sshd_config file two most important lines should read as follows:
PubkeyAuthentication yes # and PasswordAuthentication no
ADMIN USER to Lock Down "NEW Servers" (OPTIONAL)
Advanced/Expert Administrator Users, that understand the risks: may do the next (optional) step which is intended for the Senior SERVER ADMIN; so if you are the admin responsible for the server and ((own)) it, then and ONLY then proceed, but do so with extreme caution.
**This next step should only be done on a server that has just been CREATED "brand new" as these changes will break things and lock people out for sure!!! So please SKIP this Step if not sure, or if you are not the person responsible for the server, etc...**
# This step is Optional and should ONLY be # done by a Senior SERVER ADMIN that understands every change here...! # Become ROOT user $ sudo -i # Create an ssh-users group. SSH logins will be restricted, # to members of this group. $ groupadd --system ssh-users # For each user that should be able to SSH into the system, # add that user to the ssh-users group. $ usermod -a -G ssh-users [username] # Remove small Diffie-Hellman moduli: $ awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe $ mv /etc/ssh/moduli.safe /etc/ssh/moduli # If this is a brand new server, lets resetup the default, # RSA to be 4096 bits instead of 3072 bits. BE SURE its a NEW SERVER, as # old clients WILL think the new key was an Attack "Man-in-middle".... $ ssh-keygen -t rsa -b 4096 -o -a 100 -N '' -f /etc/ssh/new_ssh_host_rsa_key # Likewise for Ed25519 Elliptic Curve... only do this if on a NEW SERVER $ ssh-keygen -t ed25519 -o -a 100 -N '' -f /etc/ssh/new_ssh_host_ed25519_key # Warning: You & and EVERYONE who needs to connect, # must update the known_hosts file, # IF you changed KEYS in the previous step! Note: 22 is the default ssh port # So all people who wish to re-connect, must use the following command: # ssh-keygen -f "/home/$USER/.ssh/known_hosts" -R "[SERVER DOMAIN/HOSTNAME/IP]:22" $ mv /etc/ssh/sshd_config /etc/ssh/sshd_config_ORIGINAL_$(date +"%Y-%m-%d-%H_%M_%S") $ nano /etc/ssh/sshd_config # ``` Begin Copy # Change port to be 2022 or whatever, make sure you setup a firewall rule for it Port 22 #AddressFamily inet #ListenAddress Protocol 2 # If using NEW KEYS!: HostKey /etc/ssh/new_ssh_host_ed25519_key HostKey /etc/ssh/new_ssh_host_rsa_key # if using OLD KEYS, uncomment these #HostKey /etc/ssh/ssh_host_ed25519_key #HostKey /etc/ssh/ssh_host_rsa_key HostKeyAlgorithms email@example.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa PubkeyAcceptedKeyTypes firstname.lastname@example.org,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa KexAlgorithms curve25519-sha256,email@example.com,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512 Ciphers firstname.lastname@example.org,email@example.com,firstname.lastname@example.org,aes256-ctr,aes192-ctr,aes128-ctr MACs email@example.com,firstname.lastname@example.org,hmac-sha2-512,hmac-sha2-256 AuthorizedKeysFile %h/.ssh/authorized_keys PermitRootLogin no # prohibit-password # Make sure you have group members in ssh-user otherwise, everyone is locked out!! AllowGroups ssh-users SyslogFacility AUTHPRIV # SSH session will be dropped if no activity is registered after 300 seconds. ClientAliveInterval 300 PubkeyAuthentication yes ChallengeResponseAuthentication no KerberosAuthentication no GSSAPIAuthentication no PasswordAuthentication no PermitEmptyPasswords no MaxAuthTries 3 LoginGraceTime 20 HostbasedAuthentication no IgnoreRhosts yes # DebianBanner no - should be set on Ubuntu and Debian servers only DebianBanner no # Note you should create a Welcome to system /etc/ssh/banner.txt file and # uncomment the next line with: Banner /etc/ssh/banner.txt #Banner /etc/ssh/banner.txt # UsePrivilegeSeparation sandbox - if supported! UsePrivilegeSeparation sandbox AllowAgentForwarding no AllowTcpForwarding no AllowStreamLocalForwarding no PermitOpen none PermitTunnel no GatewayPorts no X11Forwarding no X11DisplayOffset 10 X11UseLocalhost no PrintMotd no PrintLastLog yes TCPKeepAlive yes UseLogin no PermitUserEnvironment no UsePAM no # Sometimes you may want this to be yes, depends on plugins you may have # Allow SFTP? If not comment this Subsystem sftp line out # override default of no subsystems Subsystem sftp /bin/sh -c 'umask 0002; /usr/lib/openssh/sftp-server' #Subsystem sftp /usr/lib/openssh/sftp-server #Match User git # AllowGroups * # ``` End Copy =======================Save and Exit (ctrl+x) # Check for deprecated options, and proceed to test your configuration syntax: $ sudo sshd -T $ sudo systemctl restart sshd.service # Do not disconnect yet! Type exit to exit when done, but not yet!
Verify your still able to connect
Check and Verify from another terminal window that you can connect using just the Public Key file, if it works then you may disconnect. To do that unplug your Yubikey and attempt to connect it should fail: Permission denied (publickey). Now connect the Yubikey and try again, it should prompt for your user PIN# and light up to be touched, touch it. It should connect now.