June 15th, 2016
In Technology
No Comments
If you enjoy this article, see the other most popular articles
If you enjoy this article, see the other most popular articles
If you enjoy this article, see the other most popular articles
Demanding ssh key login to a server is safer than allowing passwords
(written by lawrence krubner, however indented passages are often quotes). You can contact lawrence at: lawrence@krubner.com, or follow me on Twitter.
Require ssh key authentication
We tend to avoid passwords for logging into servers. There was a lot of discussion around this after Bryan’s original guide came out, but I tend to fall into this camp as well. Here are a few notes on this:
ssh keys are better than passwords only because they contain and require more information.
Passwords can be brute forced. Guessing a public key is so essentially impossible that they can be considered perfectly secure
What about a stolen machine? Yes, they have your private key, but expiring an ssh-key is easy, just remove the public key from authorized_keys. You should also have your private key protected by a secure and long passphrase. See next point.
All of this works, AS LONG AS YOU HAVE A LONG AND SECURE PASSPHRASE PROTECTING YOUR KEY. Repeated because it’s bloody important.
So let’s make password authentication a thing of the past on our server. Copy the contents of your id_rsa.pub1 on your local machine to your servers authorized keys file.
Enforce ssh key logins
ssh configuration for the machine is stored here:
vim /etc/ssh/sshd_config
You’ll want to add these lines to the file. I think they’re pretty self-explanatory. You’ll want to add the IP that you use to connnect. We have a company VPN setup with OpenVPN with cryptographic authentication so in order to connect to a server, you must also be authenticated and connected to the VPN.
PermitRootLogin no
PasswordAuthentication no
AllowUsers deploy@(your-VPN-or-static-IP)
Enable all these rules by restarting the ssh service. You’ll probably need to reconnect (do so by using your deploy user!)
service ssh restart
Post external references
- 1
http://www.codelitt.com/blog/my-first-10-minutes-on-a-server-primer-for-securing-ubuntu/
February 8, 2022 9:33 am
From Michael S on How I recovered from Lyme Disease: I fasted for two weeks, no food, just water
"Did you have Bartonella, too? Seems it uses autogenesis..."