The IT Security Office recommends SSH servers be configured to accept SSH keys only (not passwords).
SSH Key creation / generation algorithm choices:
hokie@Client:~$ ssh-keygen -t ed25519
Generating public/private rsa key pair.
Enter file in which to save the key (/home/hokie/.ssh/id_ed25529): /home/hokie/.ssh/gobbler
Created directory '/home/hokie/.ssh'.
Enter passphrase (empty for no passphrase): [should meet or exceed the VT password complexity rules]
Enter same passphrase again:
Your identification has been saved in /home/hokie/.ssh/gobbler.
Your public key has been saved in /home/hokie/.ssh/gobbler.pub.
The key fingerprint is:
SHA256:HlbsdjZRTCRgdnIiXHcekCEtAuT3ggeee49apO3ueYg hokie@Client
The key's randomart image is:
+--[ED25519 256]--+
| .oo..OoBB* |
| . o=.Bo=.. |
| o ..o.. . |
| . = + . |
| + S + + |
| O + o . |
| o.=. |
| E+.+. |
| .+*.. |
+----[SHA256]-----+
hokie@Client:~$ ssh-copy-id -i ~/.ssh/gobbler.pub hokie@bird.feathers.vt.edu
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/hokie/.ssh/gobbler.pub"
ECDSA key fingerprint is SHA256:SzIW+1JrcTtS4HnRiOtCbpnf3+LbsE44i5uEcprmwLQ.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
hokie@bird.feathers.vt.edu's password:
Number of key(s) added: 1
Open two connections to the remote server. Use one to make the configuration changes and the other as a way to recover from a mis-configuration.
Add SSH banner text
sudo vi /etc/ssh/sshd_banner
---
Notice!!!
Access to computer systems and networks owned or operated by Virginia Tech is governed by VT Policy 7000 'Acceptable Use of and Administration of Computer and Communication Systems' as well as other University policies. Usage may be monitored, recorded and subject to audit. Unauthorized use is prohibited and may be subject to criminal and/or civil penalties. Use of this system indicates consent to monitoring and recording.
---
Edit sshd_config to enable PubkeyAuthentication by setting the following options.
sudo vi /etc/ssh/sshd_config
StrictModes yes
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PermitRootLogin no
Banner /etc/ssh/sshd_banner
Restart SSH service
Ubuntu: sudo systemctl restart ssh
CentOS/RedHat/Fedora: sudo systemctl restart sshd
Test for connectivity and proper function.
ssh -i ~/.ssh/gobbler bird.feathers.vt.edu
---
Notice!!!
Access to computer systems and networks owned or operated by Virginia Tech is governed by VT Policy 7000 'Acceptable Use of and Administration of Computer and Communication Systems' as well as other University policies. Usage may be monitored, recorded and subject to audit. Unauthorized use is prohibited and may be subject to criminal and/or civil penalties. Use of this system indicates consent to monitoring and recording.
---
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-50-generic x86_64)
Edit sshd_config to disable PasswordAuthentication by setting the following option.
sudo vi /etc/ssh/sshd_config
PasswordAuthentication no
Restart SSH service
Ubuntu: sudo systemctl restart ssh
CentOS/RedHat/Fedora: sudo systemctl restart sshd
Test for connectivity and proper function.
hokie@Client:~$ ssh -o PubkeyAuthentication=no bird.feathers.vt.edu
---
Notice!!!
Access to computer systems and networks owned or operated by Virginia Tech is governed by VT Policy 7000 'Acceptable Use of and Administration of Computer and Communication Systems' as well as other University policies. Usage may be monitored, recorded and subject to audit. Unauthorized use is prohibited and may be subject to criminal and/or civil penalties. Use of this system indicates consent to monitoring and recording.
---
hokie@bird.feathers.vt.edu: Permission denied (publickey).
Create a config file.
vi ~/.ssh/config
# Public or accessible from off-campus
Host jump
User hokie
HostName jump.feathers.vt.edu
PubkeyAuthentication yes
IdentityFile ~/.ssh/id_25519
# Internal host or campus-only access
Host internal
User hokie
HostName internal.co.feathers.vt.edu
ProxyJump jump
# Configure DynamicForward or SOCKS host to use with a web browser to proxy connections through the jump host.
# Manually configure the browser on the client to point to SOCKS host 172.0.0.1 port 8080.
Host jumpproxy
User hokie
HostName jump.feathers.vt.edu
PubkeyAuthentication yes
IdentityFile ~/.ssh/id_25519
DynamicForward 8080
Connect to the internal host from the client.
ssh internal
Connect to the jump host to enable DynamicForward
ssh jumpproxy