$ vi /etc/ssh/sshd_config
PermitRootLogin no # Disable Root Logins
AllowUsers Who1 Who2 # Limit User Logins
Protocol 2 # protocol 2 is more secure
Port 1234 # Run ssh on a non-standard port
$ service sshd restart
7. Use Public/Private Keys for Authentication
Using
encrypted keys for authentication offers two main benefits. Firstly, it
is convenient as you no longer need to enter a password (unless you
encrypt your keys with password protection) if you use public/private
keys. Secondly, once public/private key pair authentication has been set
up on the server, you can disable password authentication completely
meaning that without an authorized key you can't gain access - so no
more password cracking attempts.
It's a relatively simple process to create a public/private key pair and install them for use on your ssh server.
First,
create a public/private key pair on the client that you will use to
connect to the server (you will need to do this from each client machine
from which you connect):
$ ssh-keygen -t rsa
This will create two files in your (hidden) ~/.ssh directory called id_rsa and id_rsa.pub. id_rsa is your private key and id_rsa.pub is your public key.
If
you don't want to still be asked for a password each time you connect,
just press enter when asked for a password when creating the key pair.
It is up to you to decide whether or not you should password encrypt
your key when you create it. If you don't password encrypt your key,
then anyone gaining access to your local machine will automatically have
ssh access to the remote server. Also, root on the local machine has
access to your keys although one assumes that if you can't trust root
(or root is compromised) then you're in real trouble. Encrypting the key
adds additional security at the expense of eliminating the need for
entering a password for the ssh server only to be replaced with entering
a password for the use of the key.
Now set permissions on your private key:
$ chmod 700 ~/.ssh $ chmod 600 ~/.ssh/id_rsa
Copy the public key (id_rsa.pub) to the server and install it to the authorized_keys list:
$ cat id_rsa.pub >> ~/.ssh/authorized_keys
Note: once you've imported the public key, you can delete it from the server.
and finally set file permissions on the server:
$ chmod 700 ~/.ssh $ chmod 600 ~/.ssh/authorized_keys
The above permissions are required if StrictModes is set to yes in /etc/ssh/sshd_config (the default).
Now
when you login to the server you won't be prompted for a password
(unless you entered a password when you created your key pair). By
default, ssh will first try to authenticate using keys. If no keys are
found or authentication fails, then ssh will fall back to conventional
password authentication.
Once
you've checked you can successfully login to the server using your
public/private key pair, you can disable password authentication
completely by adding the following setting to your /etc/ssh/sshd_config file:
# Disable password authentication forcing use of keys
No comments:
Post a Comment