Table of Contents
- Step 1: Create RSA Keys
- Step 2: Give Remote Host Public RSA Key
- Step 3: Verify
- Step 4: Disable Password logon
In this tutorial we will secure SSH by disabling root logon and logon with a password. We will then enable sudo logging giving us the ability to replay a users session.
I will be using two Ubuntu vagrant machines however this should work on must systems with ssh and sudo. Keep in mind the paths and files may differ across different systems.
Step 1: Create RSA Keys
The first step is to generate the RSA key pair.
ssh-keygen -t rsa
You will be asked where to keep the keys and for a passphrase. I recommend leaving the path to the files the default path. As for the passphrase it does add extra security as well as an extra step.
Step 2: Give Remote Host Public RSA Key
We want the remote host to be able to use our key so we need to give it the public RSA key we just created. If you changed the file path go there for your keys other wise they are located at ~/.ssh/idrsa.pub.
Copy the contents of this file and add it to the remote hosts authorizedkeys.
cat ~/.ssh/id_rsa.pub | ssh email@example.com "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Step 3: Verify
Make sure everything is working. Try to log on. It should connect with out asking for a password.
Step 4: Disable Password logon
With SSH RSA keys working the next step is to disable password logon. To do that we will edit /etc/ssh/sshdconfig. Locate and change PasswordAuthentication to no
# Change to no to disable tunnelled clear text passwords PasswordAuthentication no
I recommend disabling root logon as well. To do that locate and change
PermitRootLogin to no
# Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes
Save the changes and restart the sshd daemon.
sudo service ssh restart
The purpose of this was to secure a system by enabling SSH RSA Keys and disable root login as well as password logon.
This is just one step in securing a system. However a bunch of little steps add up and makes a big difference.