SSH Lockdown
Secure your servers with SSH keys


I spend a lot of time SSHed into remote machines for work. After getting a couple machines hacked because I stupidly used short passwords, I started locking down my machines with the following mechanism and disabling username/password authentication.

Keep in mind that I have console access to these machines through CloudStack if I lose my SSH keys for some reason. Because of this, I remove the ability to login with username/password over SSH entirely.

# Create an SSH key if you don't have one already.  Defaults: ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub
$ ssh-keygen -t rsa

# Copy the local SSH pub key to the remote authorized_keys.
$ cat ~/.ssh/id_rsa.pub | ssh <user>@<ip_address> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

# SSH to the remote machine to remove the ability to SSH with a password.
$ ssh <user>@<ip_address>
    
# The '$>' prompt denotes the remote machine's command prompt

# Edit your sshd_config and verify the following values.
$> sudo vim /etc/ssh/sshd_config
    
    # enable the ability to use SSH keys
    RSAAuthentication yes
    PubkeyAuthentication yes

    # disable the ability to SSH with just a password
    ChallengeResponseAuthentication no
    PasswordAuthentication no
    UsePAM no

$> sudo service ssh reload
$> exit

July 6, 2015
193 words

Tags
SSH Security

Will Stevens (swill)

Find me online...