Hardening SSH Access with Mandatory SSH Keys and Disabled Password Authentication -

Introduction to SSH Hardening

Securing SSH access is a no-brainer for any Linux administrator. One effective way to harden SSH access is by using mandatory SSH keys and disabling password authentication. I’ve seen this go wrong when people don’t take the time to set it up properly, so let’s walk through the process.

Understanding SSH Keys

SSH keys are a pair of cryptographic keys used for authentication. The private key is stored on the client machine, while the public key is stored on the server. When a user attempts to connect to the server, the client uses the private key to encrypt a message, which is then decrypted by the server using the public key. If the decryption is successful, the user is granted access.

To generate a pair of SSH keys, you can use the ssh-keygen command:

ssh-keygen -t ed25519

This will generate a pair of ED25519 keys, which are considered more secure than the traditional RSA keys. In practice, I usually start with ED25519 keys, as they provide better security and performance.

Configuring Mandatory SSH Keys

To configure mandatory SSH keys, you need to add the public key to the authorized_keys file on the server. You can do this by appending the public key to the file:

cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys

Alternatively, you can use the ssh-copy-id command to copy the public key to the server:

ssh-copy-id user@server

Replace user with your username and server with the hostname or IP address of the server. Don’t bother with manually copying the public key unless you have a specific reason to do so - ssh-copy-id makes it easy.

Disabling Password Authentication

To disable password authentication, you need to modify the SSH configuration file. The location of the configuration file varies depending on the Linux distribution. On most systems, it is located at /etc/ssh/sshd_config. The real trick is finding the correct file and making the necessary changes.

Open the configuration file in a text editor and add the following lines:

PasswordAuthentication no
ChallengeResponseAuthentication no

The first line disables password authentication, while the second line disables challenge-response authentication.

Restart the SSH service to apply the changes:

sudo systemctl restart sshd

On systems that use OpenSSH 8.2 or later, you can also use the ssh command to reload the configuration:

sudo sshd -t

This is where people usually get burned - forgetting to restart the SSH service or reload the configuration.

Verifying SSH Configuration

To verify that the SSH configuration is correct, you can use the ssh command with the -v option:

ssh -v user@server

This will display the SSH configuration and any errors that may occur during the connection process. In practice, I usually test the SSH connection with verbose mode enabled to catch any potential issues.

Troubleshooting

If you encounter any issues with SSH connections, you can check the system logs for errors. On most systems, the SSH logs are located at /var/log/auth.log or /var/log/secure.

You can also use the ssh command with the -vvv option to enable verbose mode:

ssh -vvv user@server

This will display detailed information about the SSH connection process and any errors that may occur.

Best Practices

To further harden SSH access, consider the following best practices:

Use a secure password for the private key
Store the private key in a secure location, such as an encrypted file or a hardware security module
Use a secure protocol, such as SSHv2
Disable root login and use a non-root user for SSH connections
Limit SSH access to specific IP addresses or networks

For more information on SSH security, you can refer to the OpenSSH documentation or the SSH protocol specification.