Table of Contents

  1. Prerequisites
  2. Step 1: Create RSA Keys
  3. Step 2: Give Remote Host Public RSA Key
  4. Step 3: Verify
  5. Step 4: Disable Password logon
  6. Summary

In this tutorial we will secure SSH by disabling root logon and logon with a password. We will then enable sudo logging giving us the ability to replay a users session.

Prerequisites

I will be using two Ubuntu vagrant machines however this should work on must systems with ssh and sudo. Keep in mind the paths and files may differ across different systems.

Step 1: Create RSA Keys

The first step is to generate the RSA key pair.

ssh-keygen -t rsa

You will be asked where to keep the keys and for a passphrase. I recommend leaving the path to the files the default path. As for the passphrase it does add extra security as well as an extra step.

Step 2: Give Remote Host Public RSA Key

We want the remote host to be able to use our key so we need to give it the public RSA key we just created. If you changed the file path go there for your keys other wise they are located at ~/.ssh/idrsa.pub.

Copy the contents of this file and add it to the remote hosts authorizedkeys.

Example

cat ~/.ssh/id_rsa.pub | ssh user@192.168.0.1 "mkdir -p ~/.ssh && cat >>  ~/.ssh/authorized_keys"

Step 3: Verify

Make sure everything is working. Try to log on. It should connect with out asking for a password.

Step 4: Disable Password logon

With SSH RSA keys working the next step is to disable password logon. To do that we will edit /etc/ssh/sshdconfig. Locate and change PasswordAuthentication to no

Example

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
I recommend disabling root logon as well. To do that locate and change PermitRootLogin to no

Example

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

Save the changes and restart the sshd daemon.

sudo service ssh restart

Summary

The purpose of this was to secure a system by enabling SSH RSA Keys and disable root login as well as password logon.

This is just one step in securing a system. However a bunch of little steps add up and makes a big difference.