The advice from the French Security agency is to have keys with at least 2048 bits. So with ssh-keygen, you have to use an RSA-type key as DSA keys are limited to 1024 bits.
Here is the way to generate a key with 2048 bits:
$ ssh-keygen -t rsa -b 2048 Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Created directory '/home/user/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: 2d:f7:13:c2:8a:eb:6e:bb:98:0d:c3:f3:cd:a0:81:90 user@computer The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | . o | |E S = . | | . o . + o . | | . * o . o | | @.= . | | ++Ooo | +-----------------+
Don’t forget to put a passphrase on your key to raise the security level.
To allow your newly created key to be used for password less authentication you need to upload the public part of your key to the remote server using the ssh-copy-id command:
$ ssh-copy-id user@remote
The command will ask you your password for the last time and then next ssh commands will be without password.
Having a passphrase on your key can be a pain because ssh will ask for it every time you connect. The solution to this issue is to use an ssh-agent like this in your login shell (for bourne shell types):
$ eval `ssh-agent -s` Agent pid 19583 $ ssh-add Enter passphrase for /home/user/.ssh/id_rsa: Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)
And then, the next ssh commands will not ask for your passphrase anymore.
ssh-agent under X11
Another trick, if you want to put this sequence in your X11 login setup is to use ssh-add without input to force it to ask the passphrase in a graphical window:
eval `ssh-agent -s` ssh-agent < /dev/null
The file to put the commands will depend of your display manager (gdm, kdm...).
Here are some configuration options to add to your /etc/ssh/sshd_config file to enhance authentication:
- Do not authorize empty passwords:
- Add a timeout to avoid users with "never closed shells" on systems:
- Do not allow password authentication:
To raise the security level of the authentication, you can use a two-factor authentication scheme like a password/public key and an OTP (One Time Password).
On a Debian system, you can do it like this:
# apt-get install libpam-opie opie-server
Then edit /etc/pam.d/ssh to add an entry for pam_opie:
auth required pam_env.so envfile=/etc/default/locale
auth required pam_opie.so
Your /etc/ssh/sshd_config has to have to following activated options:
You then need to initialize the OTP server:
# opiepasswd -c
Enter the passphrase and deploy the OTP client on the client systems (opie-client package) and then you will be asked something like that:
$ ssh login@device otp-md5 492 ne9401 ext, Response: Password: ...
Here are some configuration options to add to your /etc/ssh/sshd_config file to restrict access:
- No direct root login if you use sudo or an equivalent command to gain super-user access:
This allows a better traceability of whom is doing what.
- List users authorized to connect in an explicit way:
- The other way to do it is to list users that are not authorized to connect and let all the others be authorized:
- Restrict access to a network interface if you have serveral ones on your server:
- Change the default port to avoid some port scanners:
If you use a tool like Wallix AdminBastion which allows you to have a fine control over your ssh/scp/sftp connections and by the way to record what is done, you can allow direct root access only from this designated device:
Match <ip of your WAB>
Fighting brute force attacks
You can improve your ability to react to brute force attacks by using tools like fail2ban to add temporary firewall rules in case someone tries to connect several times. On a Debian system, you just have to install the fail2ban package.
You can also use a knocking system to make your ssh server visible only when special network packets are beeing received. On a Debian system, you can use the knockd package both on the server and the client.
Incoming search terms:
- ssh authorized key password less
- debian squeeze ssh timeout
- debian squeeze ssh config
- debian squeeze ssh without password
- debian squeeze ssh-keygen
- configure ssh debian squeeze
- ssh config squeeze
- ssh-agent debian squeeze
- error autenticación ssh squeeze
- debian 6 ssh timeout