Skip to content

Ssh Hygiene

← Back to all decks

16 cards — 🟢 3 easy | 🟡 4 medium | 🔴 3 hard

🟢 Easy (3)

1. What is the recommended SSH key type for new key generation?

Show answer Ed25519 (ssh-keygen -t ed25519). It provides strong security with short keys and fast operations. RSA 4096 is also acceptable but Ed25519 is preferred.

Remember: "SSH keys > passwords." Keys are longer, not replayable, and can't be brute-forced.

Example: ssh-keygen -t ed25519 -C "user@host" — ed25519 is the modern default (fast, secure, short keys).

Name origin: Ed25519 uses the Edwards curve (Daniel Bernstein, 2011). The "25519" refers to the prime 2^255 - 19.

Number anchor: Ed25519 keys are 256 bits (32 bytes) vs RSA 4096\'s 512 bytes. Faster to generate, sign, and verify.

2. What is ssh-agent and why should you use it?

Show answer ssh-agent caches your decrypted private key in memory so you don't have to type your passphrase every time you connect. Start with eval "$(ssh-agent)" then add keys with ssh-add ~/.ssh/id_ed25519.

Remember: "ssh-agent = key memory." It holds decrypted keys so you type the passphrase once per session.

Example: eval $(ssh-agent) && ssh-add ~/.ssh/id_ed25519

Gotcha: ssh-agent persists in memory until killed. On shared systems, another user with root can extract your keys from the agent. Use `ssh-add -t 3600` to set a 1-hour timeout.

3. How does the authorized_keys file work for SSH authentication?

Show answer The server checks ~/.ssh/authorized_keys for the connecting user. If the client's public key matches an entry, key-based authentication succeeds. Each line contains one public key.

Remember: "~/.ssh/config = SSH bookmarks." Define hosts with aliases, users, keys, and proxy jumps.

Example: Host prod; HostName 10.0.1.5; User deploy; IdentityFile ~/.ssh/prod_ed25519

Gotcha: Permissions must be exact: ~/.ssh = 700, authorized_keys = 600. sshd silently ignores the file if permissions are too open.

🟡 Medium (4)

1. What are the essential sshd_config hardening settings for production?

Show answer PasswordAuthentication no (keys only), PermitRootLogin no, MaxAuthTries 3, AllowGroups ssh-users (restrict access), ClientAliveInterval 300 with ClientAliveCountMax 2 (idle timeout), and X11Forwarding no.

Remember: "Agent forwarding = dangerous convenience." It exposes your local keys to the remote host. Use ProxyJump instead.

Example: ssh -J bastion prod connects through bastion without forwarding keys.

Remember: "PARKC" for SSH hardening: PasswordAuth=no, AllowGroups, Root=no, Key-only, ClientAlive timeout.

2. Why should you restrict SSH ciphers and key exchange algorithms?

Show answer Default sshd configs may include weak or legacy algorithms. Restricting to strong ciphers (e.g., chacha20-poly1305, aes256-gcm) and key exchanges (e.g., curve25519-sha256) prevents downgrade attacks and ensures connections use modern cryptography.

Remember: "SSH hardening checklist: disable password auth, disable root login, use AllowUsers/AllowGroups, change port, use fail2ban."

Gotcha: Changing the SSH port is security through obscurity — it reduces noise but doesn't stop determined attackers.

Example: `Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com` in sshd_config. Test with `ssh -o Ciphers=weak-cipher` to verify rejection.

3. What is ProxyJump and how does it replace SSH agent forwarding through bastion hosts?

Show answer ProxyJump (-J flag or ProxyJump directive) tunnels SSH connections through an intermediate host without exposing your private key on the bastion. Example: ssh -J bastion.example.com internal-host. It is safer than agent forwarding because the key never leaves your machine.

Remember: "ProxyJump = safe. Agent forwarding = risky." ProxyJump tunnels through the bastion without exposing your private key.

4. What is SSH local port forwarding and what is a common use case?

Show answer ssh -L local_port:remote_host:remote_port user@server forwards a local port through the SSH tunnel to a remote service. Common use: accessing a database or admin UI on a private network, e.g., ssh -L 5432:db.internal:5432 bastion.

Analogy: SSH port forwarding is like building a secret tunnel through a wall — you can reach services behind the firewall as if they were local.

🔴 Hard (3)

1. When should you disable AllowTcpForwarding in sshd_config, and what is the trade-off?

Show answer Disable it on bastion hosts or jump servers where users should only transit, not create arbitrary tunnels. The trade-off: legitimate use cases like database tunneling break. Use Match blocks to allow forwarding only for specific groups or users who need it.

Example: Use Match blocks: `Match Group tunnel-users
AllowTcpForwarding yes` to selectively allow forwarding for specific groups.

2. What is a practical SSH key rotation strategy for an organization?

Show answer Set key expiry policies (e.g., annual rotation), use ssh-keygen to generate new keys, deploy new public keys via configuration management (Ansible), remove old keys from authorized_keys across all servers, and audit for orphaned keys. Consider short-lived certificates (SSH CA) for automated rotation.

Remember: "SSH certificates > authorized_keys at scale." Certificates expire automatically and don\'t require distributing public keys to every server.

3. How do SSH certificates work as an alternative to authorized_keys?

Show answer An SSH CA signs user public keys into short-lived certificates. Servers trust the CA public key (TrustedUserCAKeys in sshd_config) instead of managing individual authorized_keys files. This eliminates key distribution, enables automatic expiry, and scales to large fleets.

Under the hood: The SSH CA signs user keys with a validity period (e.g., +8h). Servers trust the CA key, not individual user keys. No authorized_keys management needed at scale.