Introduction
The IT Security Office recommends SSH servers be configured to accept SSH keys only (not passwords).
Contents
Instructions
Client Setup (Use a Unique Key for Each Client)
SSH Key creation / generation algorithm choices:
- DSA: Not Recommended
- RSA with key size of at least 4096 bits: ssh-keygen -t rsa -b 4096
- ECDSA: Not Recommended
- ED25519: ssh-keygen -t ed25519
PS C:\Users\hokie> ssh-keygen -t ed25519
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\hokie\.ssh\id_ed25529): C:\Users\hokie\.ssh\id_ed25519
Created directory '/home/hokie/.ssh'.
Enter passphrase (empty for no passphrase): [should meet or exceed the VT password complexity rules]
Enter same passphrase again:
Your identification has been saved in C:\Users\hokie\.ssh\id_ed25519.
Your public key has been saved in C:\Users\hokie\.ssh\id_25519.pub.
The key fingerprint is:
SHA256:HlbsdjZRTCRgdnIiXHcekCEtAuT3ggeee49apO3ueYg hokie@Client
The key's randomart image is:
+--[ED25519 256]--+
| .oo..OoBB* |
| . o=.Bo=.. |
| o ..o.. . |
| . = + . |
| + S + + |
| O + o . |
| o.=. |
| E+.+. |
| .+*.. |
+----[SHA256]-----+
Install the Public Key on the Server and Test
Copy id_25519.pub to the remote server as /home/hokie/.ssh/authorized_keys
Change the file permissions on authorized_keys to 400 (only the user can read) $ chmod 400 authorized_keys
PS C:\Users\hokie> ssh hokie@bird.feathers.vt.edu
Enter passphrase for key 'c:\Users\hokie\.ssh\id_25519':
hokie@bird:~$
Jump Host Setup
Create a config file.
Use Notepad or WordPad to create C:\Users\hokie\.ssh\config:
# Public or accessible from off-campus
Host jump
User hokie
HostName jump.feathers.vt.edu
PubkeyAuthentication yes
IdentityFile C:\Users\hokie\.ssh\id_25519
# Internal host or campus-only access
Host internal
User hokie
HostName internal.co.feathers.vt.edu
ProxyJump jump
# Configure DynamicForward or SOCKS host to use with a web browser to proxy connections through the jump host.
# Manually configure the browser on the client to point to SOCKS host 172.0.0.1 port 8080.
Host jumpproxy
User hokie
HostName jump.feathers.vt.edu
PubkeyAuthentication yes
IdentityFile C:\Users\hokie\.ssh\id_25519
DynamicForward 8080
Connect to the internal host from the client.
ssh internal
Connect to the jump host to enable DynamicForward.
ssh jumpproxy