Securing SSH Access

This article assumes that SSH is installed and listening on port 22 of the server.  In this example, the SSH Server is Ubuntu 14.04 running OpenSSH.

Also in this example, we will use 192.168.1.50 as the IP address of the SSH server, jdoe is the user account on the server and jdoe@domain.com as your email address, so remember to change these to the actual values in your environment.

Generate an RSA Key Pair

In Windows, generating RSA keys can be done using PuTTYgen.  You can download this utility here.  Follow the directions found here to generate a key pair.  You would also use PuTTY to remotely access the SSH server.  This example uses a Mac OS X client, although the procedure is very similar for Linux clients.

In the OS X client, open Terminal and enter the following command:

ssh-keygen -t rsa -b 4096 -C "jdoe@domain.com"

You will be prompted for a location. Press Enter to accept the default.  The next prompts will be for a passphrase and confirmation.  Use a strong passphrase. Once the key pair has been generated, run the following commands:

eval "(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa

You will be prompted for the passphrase you setup earlier.  (After this, you will no longer need to remember it as Keychain will remember it for you.) 

Add the Public Key to the Server

From Terminal, enter the following command:

scp ~/.ssh/id_rsa.pub jdoe@192.168.1.50:~/.

Login to the SSH server as jdoe.  Enter the following commands:

mkdir .ssh
chmod 700 .ssh
mv id_rsa.pub ~/.ssh.authorized_keys
cd .ssh
chmod 600 auth*

Logout of the SSH server.  From Terminal in OS X, test your connection:

ssh jdoe@192.168.1.50

If you receive a login prompt, something is wrong.  Review the procedure above and try again.  If you are sure you can access without providing a username and password, then proceed with the following steps.

Lock Down SSH Server

Login to the server as jdoe if not currently in. Enter the following command:

sudo nano /etc/ssh/sshd_config

While the editor is open, look for the following line:

#PasswordAuthentication yes

Ensure that that one is commented out (starts with a hash) and add the following line immediately below it:

PasswordAuthentication no

Next, look for the following lines:

# What ports, IPs and protocols we listen for
Port 22

Change 22 to another number, for example 25022.  Finally, add the following line to the bottom of the file:

AllowUsers jdoe

  

Enter Ctrl+X, enter "y" and press Enter to save and close the Editor.  Enter the following command to restart SSH:

sudo service ssh restart

You are now ready to securely access SSH.  Remember to include the port number in your ssh command from the client.  Using the above example, that would look like this:

ssh -p 25022 jdoe@192.168.1.50

  • 8
  • 11-Dec-2015
  • 322 Views