Jesse's Software Engineering Blog
Disable SSH Access Using Keys
On most Linux installs anonymous SSH is enabled by default. While the need for this is debateable, I generally disable password SSH’ing to disallow public access. Another important change to the SSH configuration is to disable root access i.e. prevent anybody from SSH’ing into the server as root. User’s with sudo access should be required to SSH in as themselves and use a password to use root privileges on the server.
Generate the Keys
First generate a public key on the machine the user works from:
ssh-keygen -t rsa
Stick with the default location for the key, and enter a passphrase to require passphrase entry every time the key is used.
Next move the new public key onto the server. This can be done with a special SSH command:
Or using scp and cat. Run the scp from the local machine, and the cat command on the server (or do it all locally with a more advanced Linux command):
scp /home/user/.ssh/id_rsa.pub email@example.com:/home/user/.ssh/ cat /home/user/.ssh/id_rsa.pub >> /home/user/.ssh/authorized_keys
When prompted about “The authenticity of host…”, be sure to enter yes. Before continuing verify that the user is able to SSH onto the server without being prompted for a password.
Updating SSH Server
The final step is updating the server’s sshd configuration to disallow SSH’ing in without a key. Make the following changes to the sshd_config:
vi /etc/ssh/sshd_config PermitRootLogin no RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no
The above changes have denied the ability to SSH into the server as root, or to be able to SSH in using a user/password combination. This requires that user’s have keys set on local machines and the server. This allows users to only login from machines where they have their key. The downside to this is that if a user’s key is stolen their account can be compromised, in which case a strong pass phrase will help prevent unauthorized access.
Finally reload the SSH configuration:
sudo service sshd reload
To verify the set up works, attempt to SSH into the server from a different machine which does not have a copy of the RSA key. The attempt should result in an error with a message similar to, “No supported authentication methods available…” (depending on the SSH client being used).