The ssh command allows one to log on to a remote system securely and to execute commands there. It can even be used as a channel to run a remote X server with the display locally. Authentication on the remote machine can best be done by cryptographically matching public and private keys for the user. If that isn't available or fails, a regular userid and passwd can be accepted, but this is less secure and less convenient. Both the intial authentication and the subsequent data transfers are encrypted, so the complete exchange is secure over an insecure medium like the internet.
Ssh is the only means to access my main server from the wild and dangerous internet, and I rely heavily on its security. Several cryptographic methods are available but, according to this article, DSA keys are no longer considered secure; RSA keys are better. To make a connection, a user must create an RSA public/private key pair, id_rsa.pub and id_rsa and put the private key in his local ~$HOME/.ssh/id_rsa file and append the public key to the $HOME/.ssh/authorized_keys file on the remote machine. Setting this up is somewhat intricate, and requires administrative access to the remote machine.
It is feasible to allow easy access among a set of machines, for each user:
With a common set of public keys on each machine and the private keys securely saved in unreadable files on each machine, that user can instantly log in from any machine to any other without ever typing a password again.
This process must be performed for each user - me, root, and any other users in my network. To simplify this tedious and complex operation, I've written a little script, /usr/local/bin/sshsetup. Feel free to copy and edit it for your own setup. Running it requires the password to be manually entered twice for each system, but thereafter, never again.
Additional security measures
While running the sshsetup script for root, it is necessary to
permit login with a password. However, after the
public/private key method is functioning, it is essential to disable
that mode. Edit /etc/ssh/sshd_config to say
Experience (and log files) show that attempts to log in by unauthorized persons via ssh are common. Attackers use scripts to repeatedly try, using guesses at valid userids and passwds. Although Linux passwords are pretty secure, the monkey principle says that with enough attempts, a lucky guess may eventually succeed. To combat that threat, the denyhosts package was developed. It monitors and counts unsuccessful login attempts and blocks offenders after a specified number of failures. The IP of the attacker is added to /etc/denyhosts so that all subsequent traffic from that site is blocked.
In /etc/denyhosts.conf it is possible to set your tolerance
level for several categories of attack. The details can be
found in the extensive comments there.
A newer way to bar intruders is the fail2ban
program. It adds DROP rules to the kernel's iptables rules, and
is more efficient than denyhosts. Both can be used simultaneously.