Wednesday, February 3, 2010

SSH, the Secure Shizzle

SSH, the "secure shell" is the ultimate exception to the "security is inversely proportional to convenience" rule.  It is so easy to set up and once you have it running, secure authentication and communication are totally transparent.  It's almost irresponsible not to use it.

In its most basic form, SSH is a secure remote console program, a secure replacement for Telnet, however, it is very flexible and can handle such tasks as secure file copying between machines, proxying, and even tunneling.  Also, it's been around so long that it has become one of the de facto standards for secure authentication and communication on Linux.  Pretty much any network-enabled program worth its salt will feature support for it.

There are many fine tutorials on how to use SSH, my favorite is by the incomparable Chess Griffen on the Linux Reality podcast.  If you aren't already familiar with SSH, stop reading this post and listen to that episode of Linux Reality right away.  I'll wait.

As awesome as it is to be able to type "ssh myserver", enter the password, and start entering commands to be run on your server, there's a better way.  It's called SSH keys, and they will save you the trouble of typing in your password every time you want to connect to the server and they will give your server extra protection from being hacked.  It's easier and more secure, which almost never happens, so you know you have to do it.

Creating an SSH key

Simply hop into the command line and type "ssh-keygen".  It will ask you to give a filename and location for the new keys, and it will ask you to give it a passphrase.  When it is finished, go into your home directory's .ssh folder, and you will see two files: id_rsa and  The id_rsa file is your private key; leave it where it is and don't let anyone have access to it.  Copy the file to your server.  On the server, go into your home directory's .ssh folder.  Create a file called authorized_keys if it doesn't already exist and copy the contents of your file into it (append the contents if the authorized_keys file already exists).  Now, go back to your client machine and SSH into your server.  It should let you in without asking for a password.

More SSH hardening measures

Let's face it, half the point of SSH is the security.  Setting up keys as I described will protect communications between your computers and ensure that you are actually contacting the server you think you are contacting with almost no effort on your part.  There are a few extra steps that should be taken to gain the highest level of security:
  1. Disallow protocol 1: On the server, open /etc/ssh/sshd_config as root.  Find the line that says "Protocol 1,2".  Delete the 1 and the comma, so it only says "Protocol 2".  Don't close sshd_config yet...
  2. Also in sshd_config, find the line that says "#PasswordAuthentication yes".  Remove the hash mark from the beginning of the line and change "yes" to "no".  Keep sshd_config open...
  3. Find the line that says "Port 22" and change the 22 to another number between 1024 and 65535.  
  4. Save that file and restart the ssh daemon (you can usually do this by running "sh /etc/init.d/sshd restart" as root)
  5. On your client, open /etc/ssh/ssh_config as root
  6. Find the line that says "Port 22" and change it to the same port number you set in step 3 above.
  7. Find the line that says "Protocol 1,2" and change it to "Protocol 2", as you did on the server in step 1 above.
  8. Find the line that says "Cipher aes128-cbc,3des-cbc,blowfish-cbc...".  Remove the hash mark at the beginning of the line if there is one, then remove all of the ciphers listed except aes256-cbc.  So that line should read, "Cipher aes256-cbc".
  9. Save that file
  10. Bookmark this blog post, because you will have to repeat steps 5-9 on all of your clients.
This may seem like a lot of work, but please keep in mind that SSH has been around for a very long time and there are a lot of automated ways to attack an SSH server that rely on the default settings, such as support for Protocol 1 and having the SSH daemon listen on port 22.  Changing these defaults takes only a few minutes but makes it exponentially harder for hackers to get in.  These steps are absolutely essential if you are considering exposing your SSH daemon to the public Internet.  

At this point, you are able communicate between machines with more ease and convenience than ever, and those communications are secured by military-grade authentication and encryption.  Security and convenience will never be this close, so take advantage!

No comments:

Post a Comment