Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
12 octobre 2013 6 12 /10 /octobre /2013 22:25

We'll see here how to upgrade a SSH server security by using Public-Keys.

Raspbian and Debian OS are used here. Ubuntu will function the same too.

 

VPN 11 : SSH with Public-Key Authentication

SSH Server OS : Raspbian June 2014

SSH Client OS : Debian 7.5

 

Last edited July 28 2014

 

1. Security benefits of SSH with Public-keys Authentication

Beside the basic features of SSH ( Encryption, Communication Integrity Protection), using SSH with Public-Keys authentication brings many extra security benefits :

. Extra-strong key you don't have to re-enter each time

. Impossible to brute-force key because of the keylength ( 1024, 2048, ... bits )

. Better Man in the Middle protection.

. Possibility to disable password-authentication making most automated attacks useless

. Password protection ( a compromised ssh Server can't steal your certificate )

. Policy enforcement ( Perfect control of user password policy )

. Certificate revocation possibility

 

note on MITM protection : While password-based authentication is providing a MITM protection by verifying the SSH Server public-key, the Public-keys Authentication method is better designed, making MITM attacks almost impracticable and impossible ( IF you accept a wrong Server Public-Key, the attacker may do some damages still, even with Public-Keys Authentication ).

 

2. SSH with Public-keys Authentication setup


On the Client :

ssh-keygen
[Enter] = default location = /home/[user]/.ssh/
[Enter] = no passphrase
[Enter]

Your identification has been saved in /home/[user]/.ssh/id_rsa.
Your public key has been saved in /home/[user]/.ssh/id_rsa.pub.

On the Server :

mkdir /home/[user]/.ssh
cd .ssh

We copy the public key here. Ex, using scp on the client :
scp id_rsa.pub [user]@[ip]:/home/[user]/.ssh


On the Server, we add the key to authorized_keys :

cat id_rsa.pub >> authorized_keys


Next login will be automatic

 

3. SSH with Public-Keys Authentication Enhanced security

Two extra steps are needed to enhance the security level

. Protecting the private key

. Disabling password login and root login

 

Protecting the private key


During the key creation, we can choose a passphrase. It is a good security practice, as it prevents the key from being lost/stolen.

we finally make the private key only accessable by the owner : chmod 600

Notes on adding a passphrase :
It strengthens the key, as a key may get compromised.
It is distinct from the regular ssh login password

By default, after 3 failed logins, a regular user/password login is still possible, unless password login is disabled.

 

disabling password login :
we disable it on the server :
sudo nano /etc/ssh/sshd_config

----------------------------------------------------

ChallengeResponseAuthentication no
PasswordAuthentication no
usePAM no

----------------------------------------------------

nb : there should still be :

------------------------------------------------------
RSAAuthentication yes
PublickeyAuthentication yes

-------------------------------------------------------

disabling root login :

we disable it on the server :
sudo nano /etc/ssh/sshd_config

---------------------------------------------------------

PermitRootLogin no

---------------------------------------------------------


4. Using a private port / Fail2Ban

Finally, you may want to consider these extra-measures :

. Setting your router or server listening port to a private port ( TCP 49152-65535 ).

. Using Fail2Ban if using a private port is not possible.

 

5. Adding a Banner that will be displayed before authentication

Adding a banner may be usefull, for information display, or warning / legal displays.

we set it on the server :
sudo nano /etc/ssh/sshd_config

we uncomment this line :

--------------------------------------------------------------

Banner /etc/issue.net

--------------------------------------------------------------

We then edit /etc/issue.net as we wish.

 

Partager cet article

Repost 0
Published by computer outlines - dans VPN
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens