Server SSH Key Security
SSH (Secure Shell) is the default way to access a remote Linux server. This post will cover securing server access by disabling direct access to the root user and using public/private keys instead of passwords for login.
Restrict root login
A new Linux server, ubuntu in this example, only contains a root user. The root user is very important and allows unrestricted access to the entire system. Since the root user is unrestricted it isn't a good idea to allow people to directly login to the system as root. One or more users should be created so their access can be tailored to the individual's/group's specific requirements. If a malicious agent gains access to the system they will be restricted to the rights of the user they were able to penetrate with. Granting a user full sudo permissions isn't as big of a problem because attacks against root itself are still negated. The attacker will have to figure out the name of the user with sudo permissions, crack the public/private key to access the system, and then the user's password to affect system changes. This makes it much more difficult than just getting direct access to the root user
ssh login as root
ssh root@{SERVER_IP_OR_URL}
create new user
adduser loki
grant sudo privileges (optional)
usermod -aG sudo loki
open sshd_config
sudo nano /etc/ssh/sshd_config
disable root login (edit line and save)
PermitRootLogin no
reload ssh
sudo systemctl reload sshd
close remote session
exit
Restrict password login
It is also a good idea to restrict users from logging in using passwords, in favor of a public/private key pair. For starters, there is nothing to remember, you setup the keys and you are granted access to login. Passwords are shorter so they can be remembered, making them easier to crack. If they are too long they are usually written down somewhere, where they can be stolen. Some people use the same password in multiple places meaning your server can become compromised even if the password is obtained somewhere else. it is easy enough to generate key pairs for each user in a group so access for a single user can be revoked by removing that individual's key.
On your local system
generate key pair (leave passphrase blank)
ssh-keygen -t rsa -b 4096 -C "[email protected]"
push key to server
ssh-copy-id loki@{SERVER_IP_OR_URL}
login without password
ssh loki@{SERVER_IP_OR_URL}
open sshd_config
sudo nano /etc/ssh/sshd_config
disable password authentication (edit line and save)
PasswordAuthentication no
reload ssh
sudo systemctl reload sshd
Now the server is more secure because it doesn't allow direct access to the root user and only allows access using public/private key pairs.
You still need a secure place to store the root and user passwords so they can be accessed to make sudo system changes. Those should only be trusted to administrators.
Congratulations @clutteredcode! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOPThank you for share with us
thanks for the interest
Thank you for sharing great info with us .
Congratulations @clutteredcode! You have received a personal award!
Click on the badge to view your Board of Honor.
Do not miss the last post from @steemitboard:
SteemitBoard World Cup Contest - France vs Croatia
Participate in the SteemitBoard World Cup Contest!
Collect World Cup badges and win free SBD
Support the Gold Sponsors of the contest: @good-karma and @lukestokes
Congratulations @clutteredcode! You received a personal award!
You can view your badges on your Steem Board and compare to others on the Steem Ranking
Vote for @Steemitboard as a witness to get one more award and increased upvotes!