Skip to content

Jesses Software Engineering Blog

Nov 01

Jesse

Disable SSH Access Using Keys

On most Linux installs anonymous SSH is enabled by default. While the need for this is debateable, I generally disable password SSH’ing to disallow public access. Another important change to the SSH configuration is to disable root access i.e. prevent anybody from SSH’ing into the server as root. User’s with sudo access should be required to SSH in as themselves and use a password to use root privileges on the server.

Generate the Keys

First generate a public key on the machine the user works from:

ssh-keygen -t rsa

Stick with the default location for the key, and enter a passphrase to require passphrase entry every time the key is used.

Next move the new public key onto the server. This can be done with a special SSH command:

ssh-copy-id user@123.45.56.78

Or using scp and cat. Run the scp from the local machine, and the cat command on the server (or do it all locally with a more advanced Linux command):

scp /home/user/.ssh/id_rsa.pub user@123.45.56.78:/home/user/.ssh/
cat /home/user/.ssh/id_rsa.pub >> /home/user/.ssh/authorized_keys

When prompted about “The authenticity of host…”, be sure to enter yes. Before continuing verify that the user is able to SSH onto the server without being prompted for a password.

Updating SSH Server

The final step is updating the server’s sshd configuration to disallow SSH’ing in without a key. Make the following changes to the sshd_config:

vi /etc/ssh/sshd_config

PermitRootLogin         no
RSAAuthentication       yes
PubkeyAuthentication    yes
AuthorizedKeysFile	.ssh/authorized_keys
PasswordAuthentication  no

The above changes have denied the ability to SSH into the server as root, or to be able to SSH in using a user/password combination. This requires that user’s have keys set on local machines and the server. This allows users to only login from machines where they have their key. The downside to this is that if a user’s key is stolen their account can be compromised, in which case a strong pass phrase will help prevent unauthorized access.

Finally reload the SSH configuration:

sudo service sshd reload

To verify the set up works, attempt to SSH into the server from a different machine which does not have a copy of the RSA key. The attempt should result in an error with a message similar to, “No supported authentication methods available…” (depending on the SSH client being used).

Blog Powered By Wordpress