Continuing the discussion from Do You Use It? What’s Your Backup Strategy:
From my experience, SSH remote access is pretty secure, but I would never allow a guest-login account to use it. I actually never use guest accounts at all.
To be more secure, I recommend disabling password-based authentication altogether. To do this, edit the SSH daemon’s configuration file, /etc/ssh/sshd_config
, locate the line:
#PasswordAuthentication yes
And change it to:
PasswordAuthentication no
Alternatively, if you don’t want to touch the system-provided SSH daemon config file, you can create a file (any name will do) in the /etc/ssh/sshd_config.d
directory containing the above “PasswordAuthentication no
” line.
And then reboot to make the changes take effect. (You might be able to just turn remote-login off, wait a second and turn it on again via system settings.)
Now, nobody can log in via SSH using a password. Of course, if that’s all you do, then nobody can log in at all. The next step is to create a public/private key pair to use for authentication instead of a password. To do this (from a command-line):
-
If it doesn’t already exist, create a
.ssh
directory in your home directory. Make its permissions “700”, so no other users have access (SSH will ignore the directory if its permissions are wrong). Create an authorized-keys file if it is missing, and set its permissions to “600”:mkdir ~/.ssh chmod 700 ~/.ssh touch ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys
The “touch” command changes a file’s last-access and last-modified time to the current time. It has the (desirable, in this case) side effect of creating the file (at zero length) if it does not exist, and will not modify the file if it already exists.
-
Create a public/private key pair if you don’t already have one. The
ssh-keygen
utility can do it:ssh-keygen -t rsa
will create an RSA key, with default parameters (16 rounds, 3072 bits, no passphrase, SHA2-512 hash) using the default filenames (
~/.ssh/id_rsa
for the private key and~/.ssh/id_rsa.pub
for the public key).If you want to use other filenames (e.g. in case there are already
id_rsa
/id_rsa.pub
files or if you need to create multiple key pairs for some reason), use the-f
option to specify the base filename that will hold the results:ssh-keygen -t rsa -f ~/.ssh/id_rsa_foo
Which will store the private key in
~/.ssh/id_rsa_foo
and the corresponding public key in~/.ssh/id_rsa_foo.pub
. -
Append your newly-created public key to the authorized-keys file (which you may have just created in step 1):
cd ~/.ssh cat id_rsa.pub >> authorized_keys
This file is the list of keys authorized to log on to that account.
And the server-side is done. Now, copy your private key (~/.ssh/id_rsa
) to the computer you want to log-in from. Copy it to that computer’s ~/.ssh/
directory (making sure it has all the necessary permissions).
(This is if your client is running OpenSSH, which is typical for most Unix-like systems. Windows clients may have a different mechanism.)
When you try to SSH from the remote host (e.g. ssh user@hostname
or slogin user@hostname
), the remote host will use the private key you installed (~/.ssh/id_rsa
) to authenticate the login against the set of authorized public keys (~/.ssh/authorized_keys
) in the home directory for the account you’re logging in to.
If your remote host needs to log in to multiple servers that have different key-pairs, copy all the required private keys to the host (with different names, of course) and create a ~/.ssh/config
file that specifies which should be used for each server. For example:
host foo.example.com
IdentityFile ~/.ssh/id_rsa_foo
host bar.example.com
User jimbo
IdentityFile ~/.ssh/id_rsa_bar
host baz
HostName baz.example.com
User johnny5
IdentityFile ~/.ssh/id_rsa_baz
The above configuration file has configurations for three remote servers:
foo.example.com
authenticates using the private keyid_rsa_foo
bar.example.com
authenticates using the private keyid_rsa_bar
, and will use the user namejimbo
if you don’t specify one when connecting. (By default, SSH uses your locally-logged-in user name as the remote-login user name.)baz
is an alias so you don’t need to type the full host name (e.g.ssh baz
). It will try to connect to the host namebaz.example.com
using a default user name ofjohnny5
and the private keyid_rsa_baz
.
If you want to log in to different user accounts on the server, repeat the above in each user’s home directory. The ~/.ssh/authorized_keys
file in each user’s home directory will determine which keys are valid for authenticating access to that user account.
If you want to allow multiple people to log in to a single user account, you can create and install multiple key-pairs in that account’s authorized-keys file. Create a pair for each person, and give that person his private key. Don’t give a single private key to more than one person. This way if one person is irresponsible, you can easily delete his public key from the authorized-keys file, cutting off his access.
See also: