Source and inspiration: https://stribika.github.io/2015/01/04/secure-secure-shell.html
- Enable sshd by adding the following to /etc/rc.conf
shd_enable="YES"
- Replace /etc/ssh/sshd_config with the included file
sshd_config, and changeportto something non-standard (and not 22) - Replace /etc/ssh/ssh_config with the included file
ssh_config - Recreate all ssh host keys without passwords (/etc/ssh/ssh_host_key)
rm /etc/ssh/ssh_host_*key*
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" < /dev/null
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" < /dev/null
- Recreate /etc/ssh/moduli
rm /etc/ssh/moduli
ssh-keygen -G /etc/ssh/moduli.all -b 4096 # takes a few minutes
ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all # takes hour/hours
mv /etc/ssh/moduli.safe /etc/ssh/moduli
rm /etc/ssh/moduli.all
- Restart the sshd deamon
service sshd restart
- Generate client keys with strong passwords using the following commands (or generate them on the client side):
ssh-keygen -t ed25519 -o -a 100
ssh-keygen -t rsa -b 4096 -o -a 100
- Add the public keys to your user's (not root)
~/.ssh/authorized_keysfile (or if created on the client by using thessh-copy-idutility (Google is your friend(?)). Thenchmod 700 ~/.ssh/authorized_keysandchmod 600 ~/.ssh/authorized_keys. - Preferly add the private keys as an attachment to a record in your KeePass and then use KeeAgent when using the keys for SSH sessions.
- If you for some reason copy a private key to Windows, generated in Linux/FreeBSD/etc terminal, mind the whitespaces and save the file in UTF-8 format if you want to use PuTTYgen to convert the keys to PuTTY format. Test the validity of the copied key by trying to import it into PuTTYget. If it fails, you have format errors or it is not saved in UTF-8 format.
- Remove generated private client keys from the server (not the server keys) when you have stored them safely in PuTTY or elsewhere. This is for security reasons.