What exactly is meant by a jump box, and which bits of the config file would you recommend be tightened and in what way?
A 'jump box' is a trusted intermediary that normally lives in a DMZ or similar...
the settings of concern in sshd_config are as below;
Code:
# Authentication:
# LoginGraceTime 120
LoginGraceTime 30
# PermitRootLogin prohibit-password
PermitRootLogin no
StrictModes yes
#MaxStartups 10:30:60
MaxStartups 2:30:10
MaxAuthTries 3
DebianBanner no
AllowUsers (some username, see below)
Then create a specific user, and this is your 'jump' user, and it does not have admin privileges on the machine itself - this is the user that would be in the AllowUsers line I mentioned above... if you need to do admin on the 'jump' box, then just su over to an account that does have sudo..
There are more settings, but the ones I mention above should be a good start...
Once the edits are done, restart OpenSSH...
follow the prompts...
Since Raspbian is basically the same as Debian (or derivatives like ubuntu), the rest is pretty easy - lot's of recipes out there...
Once that's all done - if one wants certificates, can generate them there...
Little tip - Raspbian includes the UFW (uncomplicated firewall) - which is a nice frontend to iptables...
might have to do an apt-get install ufw perhaps...
then...
Code:
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw limit ssh
sudo ufw allow from 192.168.1.0/24
sudo ufw allow from fe80::/64
# done for most purposes
you can always query the ufw by doing sudo ufw status...
So it's a little bit of work - should take a couple of minutes - once done however, that 'jump' box and user can then be used to ssh over to other hosts on the trusted side of the firewall as needed - and remember, OpenSSH has some very nice things, like the ability to tunnel other things thru that connection...