Linux
SSH: Keys, Config & Hardening
44 flashcards · answers and review in the app — launching soon
Why are telnet and rlogin considered obsolete, and what does ssh do differently to replace them?
The very first time you ssh to a new host, it prints a fingerprint and asks you to confirm. What is that step actually protecting you against, and what does answering yes do?
You reinstalled a server but kept its old hostname; now ssh screams REMOTE HOST IDENTIFICATION HAS CHANGED and refuses to connect. What is it warning about and how do you clear it once you know the change is legitimate?
How do you run a single command on a remote host without opening an interactive shell, versus feeding a whole batch of commands to it non-interactively?
For automating ssh across many fresh hosts, the first-connect trust prompt gets in the way. Which option skips it, and which config file do such client options belong in?
Which ssh option lets a graphical program running on the remote host display on your local screen, and does it still work under Wayland?
How do you build an SSH tunnel that forwards a local port to a remote service, and how do you keep it from also opening a shell?
After installing the SSH server package, why might ssh still fail to connect on RHEL or SUSE when it just works on Debian/Ubuntu?
SSH is installed and running, the service is listening, yet a client times out connecting to port 22. On which distribution is a blocking firewall the built-in culprit by default?
You want to tighten the SSH server but keep editing the wrong file. Which file configures sshd, which one configures the client, and what feature does the Subsystem line control?
On a publicly reachable server you want to see the endless SSH break-in attempts. Where are SSH login attempts logged, and roughly what volume should you expect?
How does setting PermitRootLogin no in sshd_config raise the bar for an attacker, and how are you then supposed to do admin work?
You edited sshd_config to forbid root login but root can still log in. What step did you forget?
Someone sets PermitRootLogin without-password and panics that it now allows root in with a blank password. What does that setting actually mean?
PermitRootLogin no is set, but you want to forbid password logins for every account, not just root. Which directive does that, and what's the safety catch?
A server has both public IPv4 and IPv6 addresses. Why might you deliberately restrict sshd to IPv4 only, and which directive controls that?
On Fedora or RHEL you changed sshd to a non-standard port with the Port directive, but the daemon won't start on it. What extra step do those distributions require?
Moving sshd off port 22 is sold as a security win. What are its two real limitations that keep it from being genuine protection?
What does Fail2Ban do to blunt SSH brute-force attacks, and what class of attack tools is it countering?
Where should you put your Fail2Ban customizations so a package update won't wipe them, and what makes SSH monitoring actually take effect?
Out of the box, how aggressive is Fail2Ban's SSH banning, and which three parameters define that behavior?
Which command shows Fail2Ban's live SSH stats and banned IPs, and why does Fail2Ban remain weak despite being IPv6-compatible?
When you generate an SSH key pair with ssh-keygen, why is it strongly recommended to add a passphrase, given that it makes every login prompt for it?
In the lock-and-key analogy for SSH key pairs, which half is the key and which is the lock, and what does that tell you about where each file may go?
SSH key files are named after the algorithm that made them. Which private/public filenames correspond to RSA, ECDSA, and Curve25519?
ssh-copy-id normally installs your public key on a server, but it fails on a box that already allows key-only auth. Why, and how do you still get your key on there?
Passphrase-protected keys are secure but prompt on every login. How does ssh-agent restore convenience, and what limits its reach?
Key auth is set up correctly but the server still ignores your key and asks for a password. With StrictModes yes, what is usually wrong and how do you fix it?
On Fedora or RHEL, permissions on ~/.ssh are correct but the copied key still isn't accepted. What SELinux-specific fix restores it?
An SSH login keeps failing and you can't tell why. How do you make ssh reveal what's happening, and how much more detail can you get?
You juggle several private keys for different servers. What does the client-side ~/.ssh/config file let you do, and what permission must it have?
What does adding SSH two-factor authentication actually change about a login, and what's the practical trade-off?
People worry that using Google Authenticator for SSH sends their codes to Google. How does it really work?
You set up Google Authenticator on a server as user as34; can those codes also log you in as another user or as root on the same machine?
Which PAM line enables Google Authenticator 2FA for SSH, and what does the nullok option change about who it applies to?
Beyond the PAM line, which sshd_config settings must be in place for Google Authenticator 2FA to work, and what final step activates them?
When enabling SSH 2FA on a remote server you don't have physical access to, what single precaution keeps a misconfiguration from locking you out forever?
A YubiKey shows up to the computer as a USB keyboard and types a long one-time password. How is that string structured?
What does YubiKey SSH authentication need on the server side to actually verify a token's one-time password?
With pam_yubico protecting SSH, why can a network outage lock everyone out, and what's the recommended safeguard?
You need to run the same command on three servers interactively at once. What does Cluster SSH give you that plain ssh doesn't?
Parallel SSH and Cluster SSH both fan a command out to many hosts. What is the key difference in what each is designed for, and what does pssh require to authenticate?
For SSH sessions that keep dropping on a mobile connection, Mosh is the fix. How does it establish itself and what transport does it then use?
Over SSH, why is screen far more valuable than it is on a local desktop, and how do you leave a task running and come back to it?