update SSH

asim3 · asim3 · commit 1f54c4372c11 · 2023-08-31T10:54:34.000+03:00
diff --git a/data/server/index.md b/data/server/index.md
@@ -11,7 +11,10 @@ ifconfig
 
 ## Login to Server
 > logout SSH `exit`
-```txt
+```bash
+# test connection
+ssh -T git@github.com
+
 ssh username@server.ip
 
 # run bash on remote server
diff --git a/data/server/ssh/certificates.md b/data/server/ssh/certificates.md
diff --git a/data/server/ssh/index.md b/data/server/ssh/index.md
@@ -1,11 +1,17 @@
+[SSH Audit](ssh-audit.com)
+
+
 ## generate key
 > if you want to change the key name make sure to put the full directory path
 ```bash
-cd ~/.ssh/
-ssh-keygen -t ecdsa -b 521 -C "argocd@asimt.sa"
+ssh-keygen -t ed25519 -C "test-1@asimt.sa"
 
-# old
-ssh-keygen -t rsa -b 4096 -C "myname@example.com"
+ssh-keygen -t rsa -b 4096 -C "test-2@asimt.sa"
+
+# -t ed25519 : EdDSA performs much faster and provides the same level of security with significantly smaller keys
+# -t rsa     : old - universally supported
+# -t dsa     : Just don’t use ECDSA/DSA!
+# -t ecdsa   : Just don’t use ECDSA/DSA!
 ```
 
 
@@ -34,19 +40,6 @@ cat ~/.ssh/authorized_keys
 ```
 
 
-## settings
-> make sure to restart sshd `sudo systemctl restart sshd`
-
-`sudo nano /etc/ssh/sshd_config`
-```bash
-# ...
-PubkeyAuthentication yes
-# PermitRootLogin [no|yes|prohibit-password|without-password]
-# PasswordAuthentication yes 
-# ...
-```
-
-
 ## Copy files
 ```bash
 scp ~/local.txt username@remote.server.ip:~/remote/q
diff --git a/data/server/ssh/install.md b/data/server/ssh/install.md
@@ -1,13 +1,9 @@
 ## install ssh server
 ```txt
 sudo apt install -y openssh-server
-
+sudo systemctl enable ssh
 sudo systemctl status ssh
-```
-
 
-## setup ssh
-```txt
 mkdir ~/.ssh/
 chmod 700 ~/.ssh/
 
@@ -16,8 +12,9 @@ chmod 600 ~/.ssh/*
 ```
 
 
-## systemd
+## logs
 ```
-sudo systemctl enable ssh
-sudo systemctl status ssh
+journalctl -u ssh
+
+journalctl -b -u ssh
 ```
diff --git a/data/server/ssh/manual.md b/data/server/ssh/manual.md
diff --git a/data/server/ssh/other.md b/data/server/ssh/other.md
@@ -1,24 +1,52 @@
-## testing
-testing SSH connection
-```txt
-ssh -T git@github.com
+## Get fingerprint
+```bash
+ssh-keygen -l -f ~/.ssh/id_ed25519
+# 256 SHA256:KHzEcaes5BlSwvrhbVOs7QTNbL2J3ZD4c7rIkyun4+0 test-1 (ED25519)
+
+ssh-keygen -l -f ~/.ssh/id_ed25519.pub
+# 256 SHA256:KHzEcaes5BlSwvrhbVOs7QTNbL2J3ZD4c7rIkyun4+0 test-1 (ED25519)
 ```
 
+
 ## ssh config
 change SSH port number 
 `sudo nano ~/.ssh/config`
-```txt
+```bash
 Host github.com
     Hostname ssh.github.com
     Port 443
 ```
 
 
-
-
 ## !!!
 ```txt
 # Start the ssh-agent in the background
 eval "$(ssh-agent -s)"
 ssh-add ./.ssh/id_rsa
 ```
+
+## Manual
+> `man ssh-keygen`
+> `man ssh_config`
+
+
+```txt
+-q              Silence ssh-keygen.
+-t              Specifies the type of key to create. [dsa|ecdsa|ed25519|rsa]
+-f filename     Specifies the filename of the key file.
+```
+
+
+## certificates
+```txt
+-s ca_key                   Certify (sign) a public key using the specified CA key.
+-I certificate_identity     Specify the key identity when signing a public key.
+-h                          When signing a key, create a host certificate instead of a user certificate.
+```
+
+
+# !!!
+```bash
+ssh-keygen -s /path/to/ca_key -I key_id    /path/to/user_key.pub
+ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
+```
diff --git a/data/server/ssh/settings.md b/data/server/ssh/settings.md
@@ -0,0 +1,56 @@
+[SSH Audit](ssh-audit.com)
+
+
+## edit sshd
+```bash
+sudo nano /etc/ssh/sshd_config
+
+# restart sshd
+sudo systemctl restart sshd
+```
+
+
+## best
+```bash
+Port 2222
+PasswordAuthentication no
+PermitEmptyPasswords no
+PermitRootLogin no
+UsePAM no
+```
+
+
+## Disable Passwords
+```bash
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+```
+
+
+## PM
+```bash
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM no
+```
+
+
+## Disallow Root Login
+```bash
+PermitRootLogin no
+```
+
+
+## Change Port
+[List of TCP ports](https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers)
+```bash
+Port 2222
+```
