OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography. From time to time there are rumors about OpenSSH zero day exploit. This page shows how to secure your OpenSSH server running on a Linux or Unix-like system to improve sshd security.
OpenSSH defaults
- TCP port – 22
- Server config file – sshd_config (located in /etc/ssh/)
- Client config file – ssh_config (located in /etc/ssh/)
- User private/pub keys and client config – $HOME/.ssh/ directory
1. Use SSH public key based login
OpenSSH server supports various authentication. It is recommended that you use public key based authentication. First, create the key pair using following ssh-keygen command on your local desktop/laptop:
DSA and RSA 1024 bit or lower ssh keys are considered weak. Avoid them. RSA keys are chosen over ECDSA keys when backward compatibility is a concern with ssh clients. All ssh keys are either ED25519 or RSA. Do not use any other type.
$ ssh-keygen -t key_type -b bits -C "comment"
$ ssh-keygen -t ed25519 -C "Login to production cluster at xyz corp"
$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_aws_$(date +%Y-%m-%d) -C "AWS key for abc corp clients"
Next, install the public key using ssh-copy-id command:$ ssh-copy-id -i /path/to/public-key-file user@host
$ ssh-copy-id user@remote-server-ip-or-dns-name
$ ssh-copy-id vivek@rhel7-aws-server
When promoted supply user password. Verify that ssh key based login working for you:$ ssh vivek@rhel7-aws-server
For more info on ssh public key auth see:
- keychain: Set Up Secure Passwordless SSH Access For Backup Scripts
- sshpass: Login To SSH Server / Provide SSH Password Using A Shell Script
- How To Setup SSH Keys on a Linux / Unix System
- How to upload ssh public key to as authorized_key using Ansible DevOPS tool
- SSH Public Key Based Authentication on a Linux/Unix server
2. Disable root user login
Before we disable root user login, make sure regular user can log in as root. For example, allow vivek user to login as root using the sudo command.
Allow members of group sudo to execute any command. Add user vivek to sudo group:$ sudo adduser vivek sudo
Verify group membership with id command$ id vivek
How to add vivek user to sudo group on a CentOS/RHEL server
Allows people in group wheel to run all commands on a CentOS/RHEL and Fedora Linux server. Use the usermod command to add the user named vivek to the wheel group:$ sudo usermod -aG wheel vivek
$ id vivek
Test sudo access and disable root login for ssh
Test it and make sure user vivek can log in as root or run the command as root:$ sudo -i
$ sudo /etc/init.d/sshd status
$ sudo systemctl status httpd
Once confirmed disable root login by adding the following line to sshd_config:
PermitRootLogin no ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no
See “How to disable ssh password login on Linux to increase security” for more info.
3. Disable password based login
All password-based logins must be disabled. Only public key based logins are allowed. Add the following in your sshd_config file:
AuthenticationMethods publickey PubkeyAuthentication yes