Remote access security

Continuing the discussion from Do You Use It? What’s Your Backup Strategy:

From my experience, SSH remote access is pretty secure, but I would never allow a guest-login account to use it. I actually never use guest accounts at all.

To be more secure, I recommend disabling password-based authentication altogether. To do this, edit the SSH daemon’s configuration file, /etc/ssh/sshd_config, locate the line:

#PasswordAuthentication yes

And change it to:

PasswordAuthentication no

Alternatively, if you don’t want to touch the system-provided SSH daemon config file, you can create a file (any name will do) in the /etc/ssh/sshd_config.d directory containing the above “PasswordAuthentication no” line.

And then reboot to make the changes take effect. (You might be able to just turn remote-login off, wait a second and turn it on again via system settings.)

Now, nobody can log in via SSH using a password. Of course, if that’s all you do, then nobody can log in at all. The next step is to create a public/private key pair to use for authentication instead of a password. To do this (from a command-line):

  1. If it doesn’t already exist, create a .ssh directory in your home directory. Make its permissions “700”, so no other users have access (SSH will ignore the directory if its permissions are wrong). Create an authorized-keys file if it is missing, and set its permissions to “600”:

    mkdir ~/.ssh
    chmod 700 ~/.ssh
    touch ~/.ssh/authorized_keys
    chmod 600 ~/.ssh/authorized_keys
    

    The “touch” command changes a file’s last-access and last-modified time to the current time. It has the (desirable, in this case) side effect of creating the file (at zero length) if it does not exist, and will not modify the file if it already exists.

  2. Create a public/private key pair if you don’t already have one. The ssh-keygen utility can do it:

    ssh-keygen -t rsa

    will create an RSA key, with default parameters (16 rounds, 3072 bits, no passphrase, SHA2-512 hash) using the default filenames (~/.ssh/id_rsa for the private key and ~/.ssh/id_rsa.pub for the public key).

    If you want to use other filenames (e.g. in case there are already id_rsa/id_rsa.pub files or if you need to create multiple key pairs for some reason), use the -f option to specify the base filename that will hold the results:

    ssh-keygen -t rsa -f ~/.ssh/id_rsa_foo

    Which will store the private key in ~/.ssh/id_rsa_foo and the corresponding public key in ~/.ssh/id_rsa_foo.pub.

  3. Append your newly-created public key to the authorized-keys file (which you may have just created in step 1):

    cd ~/.ssh
    cat id_rsa.pub >> authorized_keys
    

    This file is the list of keys authorized to log on to that account.

And the server-side is done. Now, copy your private key (~/.ssh/id_rsa) to the computer you want to log-in from. Copy it to that computer’s ~/.ssh/ directory (making sure it has all the necessary permissions).

(This is if your client is running OpenSSH, which is typical for most Unix-like systems. Windows clients may have a different mechanism.)

When you try to SSH from the remote host (e.g. ssh user@hostname or slogin user@hostname), the remote host will use the private key you installed (~/.ssh/id_rsa) to authenticate the login against the set of authorized public keys (~/.ssh/authorized_keys) in the home directory for the account you’re logging in to.

If your remote host needs to log in to multiple servers that have different key-pairs, copy all the required private keys to the host (with different names, of course) and create a ~/.ssh/config file that specifies which should be used for each server. For example:

host foo.example.com
    IdentityFile ~/.ssh/id_rsa_foo
host bar.example.com
    User jimbo
    IdentityFile ~/.ssh/id_rsa_bar
host baz
    HostName baz.example.com
    User johnny5
    IdentityFile ~/.ssh/id_rsa_baz

The above configuration file has configurations for three remote servers:

  • foo.example.com authenticates using the private key id_rsa_foo
  • bar.example.com authenticates using the private key id_rsa_bar, and will use the user name jimbo if you don’t specify one when connecting. (By default, SSH uses your locally-logged-in user name as the remote-login user name.)
  • baz is an alias so you don’t need to type the full host name (e.g. ssh baz). It will try to connect to the host name baz.example.com using a default user name of johnny5 and the private key id_rsa_baz.

If you want to log in to different user accounts on the server, repeat the above in each user’s home directory. The ~/.ssh/authorized_keys file in each user’s home directory will determine which keys are valid for authenticating access to that user account.

If you want to allow multiple people to log in to a single user account, you can create and install multiple key-pairs in that account’s authorized-keys file. Create a pair for each person, and give that person his private key. Don’t give a single private key to more than one person. This way if one person is irresponsible, you can easily delete his public key from the authorized-keys file, cutting off his access.

See also:

5 Likes