Out of the box, secure shell is fairly secure. With the help of ssh key authentication, you can lock down secure shell so that only specific machines can log in. Here's how.
If you're a Linux administrator, you most certainly are using secure shell to gain access to your remote servers. Why? Secure shell is far more trustworthy than many other means of logging into your remote servers. When you attempt to log into a remote server, you will be asked for a username and password. As you transmit that information it is encrypted, so there's no need to worry. However, what if you could add yet another layer of security? This is not only possible, it's actually quite simple.
I want to walk you through the process of setting up ssh key authentication for secure shell and disable password authentication. With this configured, only those with the proper ssh key will be able to log into your servers. I'll be demonstrating on the Ubuntu Server 16.04 platform, but this works on any Linux platform that uses secure shell. I will assume you already have secure shell installed on both a server and at least one client. Last but not least, I will be using the following IP addresses for my example:
- Client - 192.168.1.198
- Server - 192.168.1.162
It is also important that the user that will generate the ssh key also have accounts on both machines as well as be a member of the sudoers group on both machines.
Generating the ssh key
The first thing we must do is generate the ssh key on the server. Log into your server and issue the following command (as the user that will log in from the client):
ssh-keygen -t rsa
During the creation of the key, you have the option of creating an associated password or not. The benefit of not configuring a password is that you won't be prompted for it when you go to log into the server. Unless you absolutely have to have password-less authentication for your ssh key, I wouldn't recommend this.
Copying the key to the client
Once that command completes, you need to copy the key from the server to the client. The command to do this is:
ssh-copy-id -i $HOME/.ssh/id_rsa.pub USER@192.168.1.198
Where USER is the username that will be logging into the server.
Testing the connection
When that finishes, it's time to test the connection. Go back to the client and issue the command:
ssh -v USER@192.168.1.162
Where USER is the username.
If you configured your ssh key without a password, you will immediately be logged into the server. If you setup your ssh key with a password, you'll be prompted for it. Type the ssh key password and you'll be logged in.
Disabling password authentication
If you successfully managed to log in, let's now configure secure shell such that it doesn't allow password authentication. To do this, open up the file /etc/ssh/sshd_config in your favorite editor and add the following line to the bottom of the file:
Save and close that file.
Finally, restart ssh with the command:
sudo service ssh restart
Now, if you attempt to log into your server, you will not be able to do so without the added ssh key. Now that you're certain everything works, you can use the ssh-copy-id command (from the server) to each client machine that will need to be able to log into the server.
Enjoy the security
That's all there is to it! You can now only log into your server from machines that include your ssh key. Enjoy the added layer of security, brought to you by secure shell and secure shell authentication keys.
- How to work with remote filesystems using sshfs (TechRepublic)
- How to protect secure shell on CentOS 7 with Fail2ban (TechRepublic)
- Cyber Security Volume II: Network Security (TechRepublic Academy)
- 20 quick tips to make Linux networking easier (TechRepublic)
- Video: Fileless malware explained (TechRepublic)
- Getting started with Uncomplicated Firewall (TechRepublic)
- Debian 9 'Stretch' Linux has arrived (ZDNet)