SSH with U2F (i.e. YubiKey)

1. NEVER USER PASSWORDS, ALWAYS USE KEYS
2. Use 2FA to protect your Private Keys -> U2F i.e. Yubikey, Flipper Zero

---

YubiKey TLDR

cd ~/.ssh
ssh-keygen -t ed25519-sk # most secure `-sk` means hardware key
# add email identifier `-C "[email protected]"`

# Setup Client (where you want to connect from)

## Generate ssh keys backed up by hardware key U2F

Traditionally we would generate ssh keys using `ssh-keygen ` and then copy the public key to the server. For example:
```sh
ssh-keygen -t ed25519 # ed25519 is  most secure algorythm atm # tip: cd into ~/.ssh dir before running this
# or
ssh-keygen -t ecdsa # less secure

This is not secure as the private key is stored on the client and if the client is compromised then the attacker can use the private key to connect to the server.

To mitigate this we can use a hardware key to store the private key. Hardware kyes are supported by OpenSSH 8.2 and above.

There are two types of ssh keys

• Discoverable(aka resident keys) (less secure) - the private key is stored on the hardware key and is always available
• Non-Discoverable (more secure) - the private key is stored on the hardware key but is not always available. The private key is only available when the hardware key is plugged in.

Using Yubikey

cd ~/.ssh
ssh-keygen -t ed25519-sk # most secure 

-sk means hardware key

Using Flipper Zero (not secure, as private key can be extracted)

Flipper Zero supports only ecdsa-sk

Links & Resources

1. Official YubiCo tutorial
2. Linux tutorial
3. Mac tutorial tackling issues with Apple SSH agent

Setup Server

(where you want to connect to)

Install Linux

sudo apt-get install openssh-server

sudo service ssh start
# below might be required
# sudo systemctl enable ssh

Authorize Keys

mkdir .ssh
chmod 700 .ssh
vi .ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# paste your public key content from the client

Disable Password (IMPORTANT🚨)

vi /etc/ssh/sshd_config

PasswordAuthentication no

(or OPTIONALLY (and not recommended) do it here /etc/ssh/sshd_config.d/*.conf to override root settings if on Ubuntu/Debian and you want to keep default config allowing passwords - will be applied to other accounts (IMPORTANT: Note sshd_config(server) NOT ssh_config(client), .conf NOT.config) refer):

then(IMPORTANT🚨)

# Note that this operations can be silent if linux doesn't have the service installed
sudo systemctl restart sshd  # used this on Proxmox
# OR
sudo systemctl restart ssh # Debian, sshd didn't work
# or
sudo service ssh restart # used in Parrot OS 
service sshd onerestart #FreeBSD

then(IMPORTANT🚨) triple check you can’t still log in with password. Also, I noted changes might take time even after restrting server.

Debug ssh service

systemctl status ssh.service

Favorite list / presey

instead of

ssh [email protected]

you can add it to alias / fav litst nvim ~/.ssh/config

Host friendly_name
  User host_user_name
  Hostname 192.168.X.X
  Compression yes
  ConnectTimeout 10

so you can do

ssh friendly_name

Debug / See logs on the Server on who connected via SSH

# opt 1: redundant / superseded by opt 2
sudo tail -f /var/log/auth.log
# opt 2
sudo journalctl -f -u ssh.service
# where -f is to follow / live tail

Copy files using rsync or scp(deprecated)

# From client
rsync --progress -av -e 'ssh' -avz ./local_filenam_on_client SSH_ADDRESS:/path/to/remote_destination
# --progress -av    are optional to see progress of individual files
# `-a` option enables archive mode, preserving permissions and other attributes

#  from remote server, less powerful
scp SSH_ADDRESS:/path/to/remote_file optional_local_filename

Both rsync and scp are command-line tools for transferring files over a network.

rsync is a more powerful and versatile tool than scp. It can synchronize files between two directories, and it can transfer files over a network while preserving file permissions, ownership, and timestamps. rsync is particularly useful for transferring large files or large numbers of files, as it can resume interrupted transfers and only transfer files that have changed since the last transfer.

scp (Secure Copy) is a simpler tool that is used to securely transfer files between two hosts. It uses the same SSH protocol as ssh to authenticate and encrypt the connection, and it can transfer files either from a remote host to a local host or from a local host to a remote host.

In summary, if you need to transfer a few files securely between two hosts, scp may be sufficient. However, if you need to transfer large amounts of data, or if you need to synchronize directories between two hosts, rsync is a better option.

Port forwarding

ssh -L <local_port>:<remote_host>:<remote_port> user@remote_server
ssh -L 8080:localhost:80 user@remote_server
# or multiple
ssh -L 8080:localhost:80 -L 2222:localhost:22 user@remote_server

SSH instead of VPN with sshutle

sshuttle -r [email protected] 0/0 --dns # route all traffic. 
sshuttle -r [email protected] 192.168.1.0/24 --dns # route only your remote local traffic