OpenSSH has become more or less the defacto standard for interacting with UNIX-like operating systems across the internet. Although this guide is aimed towards OpenBSD 7.4 users most steps should be reproducible on other UNIX-like operating systems due to the portable nature of OpenSSH
The root account is often the first account targeted when brute forcing SSH login credentials. Disabling logging in via the root user prevents this attack vector and can be done so by modifying the following line in /etc/ssh/sshd_config
# Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin no # <--- Uncomment and set to no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes
Now its time to restart the OpenSSH service…
Pufferfish# rcctl restart sshd sshd(ok) sshd(ok) Pufferfish# █
Now from a new terminal window if we attempt to login via the root account we receive this message regardless of whether or not we enter the correct root password
[sealwalrus@computer sealwalrus]$ ssh root@sealwalrus.xyz root@sealwalrus.xyz’s password: Permission denied, please try again.
SSH keys are often considered a superior form of authentication when compared to password authentication. This is due to a number of factors including
In order to enable SSH key authentication we must first generate our public and private keys on our client device. This can be done via the ssh-keygen command. Note that setting a password for your ssh keys is entirely optional
[sealwalrus@computer sealwalrus]$ ssh-keygen [sealwalrus@computer sealwalrus]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/sealwalrus/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/sealwalrus/.ssh/id_rsa Your public key has been saved in /home/sealwalrus/.ssh/id_rsa.pub The key fingerprint is: SHA256:kiM0rn4kQguLNsKRvjFR1KVE0Mbbz5CO+clwAelw2Kc sealwalrus@computer The key's randomart image is: +---[RSA 3072]----+ | .oOoo. | | +.X.. | | o B.* . | |.= o E * | |*.+ o B S | |=O...= = o | |o.*o = . | | o . + | | .. | +----[SHA256]-----+ [sealwalrus@computer sealwalrus]$ ls .ssh id_rsa id_rsa.pub # <---- Newly created keys located in ~/.ssh [sealwalrus@computer sealwalrus]$ █
This will create both a private and public key which can be located in ~/.ssh. Now its time to transfer our public key over to our server. This can be done by using the handy ssh-copy-id command
[sealwalrus@computer sealwalrus]$ ssh-copy-id user@sealwalrus.xyz /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/sealwalrus/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys user@sealwalrus.xyz's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'user@sealwalrus.xyz'" and check to make sure that only the key(s) you wanted were added. [sealwalrus@computer sealwalrus]$ █
It is best practice to disable password authentication entirely when using SSH keypairs. This can be accomplished by editing our /etc/ssh/sshd_config once again
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no # <---- Uncomment and set to no #PermitEmptyPasswords no # Change to no to disable s/key passwords #KbdInteractiveAuthentication yes
Now its time to restart the OpenSSH service again…
OpenBased# rcctl restart sshd sshd(ok) sshd(ok) OpenBased#Now upon attempting to log in on a different computer which does not contain our SSH keys we receive this message
[stranger@computer stranger]$ ssh user@sealwalrus.xyz user@sealwalrus.xyz: Permission denied (publickey,keyboard-interactive). [stranger@Computer stranger]$ █