June 15th, 2016
(written by lawrence krubner, however indented passages are often quotes). You can contact lawrence at: firstname.lastname@example.org
Require ssh key authentication
We tend to avoid passwords for logging into servers. There was a lot of discussion around this after Bryan’s original guide came out, but I tend to fall into this camp as well. Here are a few notes on this:
ssh keys are better than passwords only because they contain and require more information.
Passwords can be brute forced. Guessing a public key is so essentially impossible that they can be considered perfectly secure
What about a stolen machine? Yes, they have your private key, but expiring an ssh-key is easy, just remove the public key from authorized_keys. You should also have your private key protected by a secure and long passphrase. See next point.
All of this works, AS LONG AS YOU HAVE A LONG AND SECURE PASSPHRASE PROTECTING YOUR KEY. Repeated because it’s bloody important.
So let’s make password authentication a thing of the past on our server. Copy the contents of your id_rsa.pub1 on your local machine to your servers authorized keys file.
Enforce ssh key logins
ssh configuration for the machine is stored here:
You’ll want to add these lines to the file. I think they’re pretty self-explanatory. You’ll want to add the IP that you use to connnect. We have a company VPN setup with OpenVPN with cryptographic authentication so in order to connect to a server, you must also be authenticated and connected to the VPN.
Enable all these rules by restarting the ssh service. You’ll probably need to reconnect (do so by using your deploy user!)
service ssh restart