Hardening SSH with Authorized Keys¶
Table of Contents¶
- Overview
- Authorized Keys
- Generating an SSH Key
- Authorizing a User with Public Key Authentication
- Change Auth Method of SSH to Public Key Auth Only
Overview¶
I found multiple attempts to login to my server via SSH.
All of these attempts failed due to wrong passwords or non-existent usernames.
So even though no one succeeded in getting in to my server, I still want to make sure no one can get in unless I want them to.
To that end, I changed the server's SSH configuration (in /etc/ssh/sshd_config) to
only allow those with authorized SSH keys to connect
- "client" refers to the Local Machine
- "server" refers to the Remote Machine
Authorized Keys¶
When an SSH connection is made, and the server's configuration has
PublicKeyAuthentication yes set, the server will check the user's authorized_keys
file to see if the user is allowed to log in.
Authorized keys are stored in the remote user's home directory, in ~/.ssh/authorized_keys.
For example:
* If I'm trying to log in as kolkhis@remote-server, then the authorized_keys
file will be remote-server:/home/kolkhis/.ssh/authorized_keys.
Change Auth Method of SSH to PublicKey Auth Only¶
Generating an SSH Key¶
If you don't already have an SSH key, you'll need to generate one.
On the client, generate an SSH key with:
ssh-keygen -t ed25519
-C "comment".
Next, grab the public key (NOT THE PRIVATE KEY!) from ~/.ssh/id_ed25519.pub.
Public keys will always end with .pub.
cat ~/.ssh/id_ed25519.pub
Authorizing a User with Public Key Authentication¶
On the Server, add the contents of the public key file to ~/.ssh/authorized_keys.
* This is in the home directory of the user you're logging in as.
* If the file doesn't exist, create it.
The public SSH key will look like:
ssh-ed25519 AAAAsdfNonsensicalKeyText comment if you made one
authorized_keys file should be a single public key.
Update sshd_config to only allow Public Key Authentication¶
A quick note:
Using this, you MUST have a public key in the authorized_keys file to access
the server.
Any other authentication methods will not work (unless you allow password auth in step 5).
Only do this after accessing the server and making sure you have your key in there. Otherwise you could lock yourself out of the server.
Now we need to go to the server's SSH configuration file, and change a few things.
-
Open
/etc/ssh/sshd_configas root (sudo):sudo vi /etc/ssh/sshd_config- Make sure to run with
sudo, since this file requires root access to write to.
- Make sure to run with
-
Find
PermitRootLogin, uncomment it and change tono:PermitRootLogin no- This will prevent the root user from logging in via SSH.
- This is a good security practice (the "Rule of Least Privilege").
- Any user that needs root access should be in the
sudogroup.
-
Do the same for
PasswordAuthentication:PasswordAuthentication no- This will disable password authentication.
- This is optional, but unless you need to access the server from new devices frequently, it's a good idea to disable it.
-
(Optional) Find
AuthorizedKeysFileand uncomment it.- By default it is
~/.ssh/authorized_keys, so you really only need to do this if you want to use more than one file (like a global file). - It should look like this:
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 - You can add more files to the list if you want to.
- By default it is
-
Add the setting
AuthenticationMethodsand set it topublickey:AuthenticationMethods publickey # Or, if you want to use both password and public key auth: AuthenticationMethods publickey,password PublicKeyAuthentication yesAuthenticationMethods publickey: Sets public key authentication as the ONLY auth method permitted.- This essentially disables password authentication.
PublicKeyAuthentication yes: This enables public key authentication.- Use this instead if you also want to use other authentication methods.
-
Now, reload SSH with
systemctl:sudo systemctl restart ssh
Now your server will only accept SSH connections from clients that have their
public keys in the .ssh/authorized_keys file.