Securing SSH

Todd Zullinger tmz at pobox.com
Tue May 23 18:35:37 UTC 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian D. McGrew wrote:
> Good morning,

You'd need to back that up with some proof.  It looks like an oxymoron
to me.  :)

> I'm looking to tighten up my ssh configuration.  I have to have SSH
> open on the box at home so I can get to it from the office.  I've
> found several articles on securing ssh that include deny root access
> and require 'wheel' group membership for su.

What I do is disable all password based logins and only allow trusted
users (which means just me on my home system).

In /etc/ssh/sshd_config, set

PasswordAuthentication no
AllowUsers your_username

If you haven't created a personal ssh key (ssh-keygen), do so before
disabling password authentication and copy the public key from work to
home.  Something like this from your work computer:

$ scp ~/.ssh/id_rsa.pub home:.ssh/authorized_keys

(The perms on ~/.ssh should be 700 and 600 (or less) on
authorized_keys.)

Then no amount of password guessing will let someone in.  The only way
in is with your key and as your username.  Well, unless someone finds
a remote exploit in sshd, but that doesn't happen very often (if ever)
and any flaws discovered would be fixed very quickly.  OpenSSH is
pretty damn secure software.

Another plus of using ssh keys is that you can load your key into the
ssh-agent (which is started with X by default on Fedora) and then you
can ssh into your systems without having to type the key's password
every time.  You can automate loading your key into the agent by
putting ssh-add ~/.ssh/id_rsa < /dev/null into your X startup scripts
somewhere.

> Is changing the port to something non-standard a good idea?  What else
> can I do; can someone point me to a good write up on it?

It doesn't hurt.  The main advantage of doing so is to cut down on the
number of log messages you'll see from super leet script kiddies
scanning for ssh servers with bad passwords.

- -- 
Todd        OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
God made everything out of nothing, but the nothingness shows through.
    -- Paul Valery

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkRzVfkmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qfrACZAUQP+5WYVOzGOEbh+4MlFBwenzcAoNvJoIH1
r83sIMcq6J4J6pvUWXvc
=m4Jc
-----END PGP SIGNATURE-----

More information about the fedora-list mailing list