Document made with KompoZer

Configuring ssh

The ssh command allows one to log on to a remote system securely and to execute commands there.   It can even be used as a channel to run a remote X server with the display locally.    Authentication on the remote machine can best be done by cryptographically matching public and private keys for the user.   If that isn't available or fails, a regular userid and passwd can be accepted, but this is less secure and less convenient.   Both the intial authentication and the subsequent data transfers are encrypted, so the complete exchange is secure over an insecure medium like the internet.

Ssh is the only means to access my main server from the wild and dangerous internet, and I rely heavily on its security.   Several cryptographic methods are available but, according to this article,  DSA keys are no longer considered secure; RSA keys are better.  To make a connection, a user must create an RSA public/private key pair, id_rsa.pub and id_rsa and put the private key in his local ~$HOME/.ssh/id_rsa file and append the public key to the $HOME/.ssh/authorized_keys file on the remote machine.  Setting this up is somewhat intricate, and requires administrative access to the remote machine.

It is feasible to allow easy access among a set of machines, for each user:

  • On each machine generate a public/private key pair, putting them into ~/.ssh,  id_rsa.pub and id_rsa, respectively. 
  • Copy the public key (and ONLY the public key) to a central temporary file.
  • Concatenate the public keys from all the machines into a single file.
  • Distribute this file.   Copy it to ~/.ssh/authorized_keys on all the machines.

With a common set of public keys on each machine and the private keys securely saved in unreadable files on each machine, that user can instantly log in from any machine to any other without ever typing a password again.

This process must be performed for each user - me, root, and any other users in my network.   To simplify this tedious and complex operation, I've written a little script, /usr/local/bin/sshsetup.   Feel free to copy and edit it for your own setup.   Running it requires the password to be manually entered twice for each system, but thereafter, never again.

Additional security measures

While running the sshsetup script for root, it is necessary to permit login with a password.   However, after the public/private key method is functioning, it is essential to disable that mode.   Edit /etc/ssh/sshd_config to say
   PermitRootLogin without-password
That will mean root must use the private/public key exchange and not a password, thus restricting access to members of the configured group of machines.

Experience (and log files) show that attempts to log in by unauthorized persons via ssh are common.   Attackers use scripts to repeatedly try, using guesses at valid userids and passwds.   Although Linux passwords are pretty secure, the monkey principle says that with enough attempts, a lucky guess may eventually succeed.   To combat that threat, the denyhosts package was developed.   It monitors and counts unsuccessful login attempts and blocks offenders after a specified number of failures.   The IP of the attacker is added to /etc/denyhosts so that all subsequent traffic from that site is blocked.

In /etc/denyhosts.conf it is possible to set your tolerance level for several categories of attack.   The details can be found in the extensive comments there.

A newer way to bar intruders is the fail2ban program.  It adds DROP rules to the kernel's iptables rules, and is more efficient than denyhosts.  Both can be used simultaneously.