How to secure your SSH connection – Part 2

Posted by admin in Uncategorized Nov 1st, 2009 | 2 responses

I decided to add this little piece seperately becasue the last column was a little long.

In this part-2 of securing the SSH connection, I will discuss how to further secure your SSH connection.
To recap on the last part, we secured the (already secure) SSH connection by:

• Using RSA keys to login
• Disbaling the password login
• Restricting connections from Iptables

We will pick up from there.

So now nobody can log into your server (or computer) without having the private key. But this key is just a file that resides in your local computer. So suppose your local computer is in your office or your university, there are chances that someone can access the private key. Then if you are not around, they can use the key and your local machine to log to your server. This maybe pretty far fetched, but if you do have sensitive data in your server, it doesn’t hurt to tighten the security. Even if you don’t have any sensitive data, you can still try this out for fun, like I do.

So how to secure further? Why don’t you keep the (private) key with you?

Most of us have flash drives that we always carry with us. So wouldn’t it be secure to keep the key in your USB drive? Don’t worry. I’m not asking you do copy it back and forth your flash drive and the computer when you want to SSH connect. You can configure so that whenever you SSH connect, SSH will automatically look into your flash drive for the key. Pretty neat eh. So when you want to SSH connect, just plug in your key, I mean you flash drive. And when you leave the computer, just take it with you (DUH!).

So here’s how to do it. It’s pretty simple.

Your SSH configurations are defined in the file /etc/ssh/ssh_config. And your private key is stored in ~/.ssh/id_rsa. What you need to do is change the location of the key in the configuration file. For example, to look into your flash drive, change:

# IdentityFile ~/.ssh/id_rsa

to

#IdentityFile /media/usb_drive/rsa_key/id_rsa

Update: As pointed by Alex in the comments, it would be better to make the above change to the ~/.ssh/config file as this is your personal configuration file. Editing the /etc/ssh/ssh_config files needs superuser access and if the machine you are working in is not your own or is shared by other users, you probably cannot mess with the global configuration file at /etc/ssh. As this would require all the other users using SSH on that machine to store their keys in the USB drives.

Now, whenever you SSH connect, it will automatically look for the key in the flash drive. From what I have seen, if the key is not present in the defined location, the SSH by default looks for it in ~/ and ~/.ssh.

One final thing. You if you log to multiple machines and you want to customize the logins with different parameters, you can configure the /etc/ssh/ssh_config file. Copy it as ~/.ssh/config and edit with your preferences. The configuration in the ~/.ssh/config file takes precedence over the /etc/ssh/ssh_config file. Parameters not defined in the customized file will take the default values. For example, to connect to machineOne:

Host machineOne

HostName machineOne.com

User user_name

RSAAuthentication yes

PasswordAuthentication no

IdentityFile /media/usb_drive/rsa_key/id_rsa

Host machineTwo

Hostname machineTwo.com

User user_name_2

RSAAuthentication yes

PasswordAuthentication no

IdentityFile ~/.ssh/id_rsa_machineTwo

And SSH connect to machineOne by simply,

ssh machineOne

The Host parameter decides which machine to log with which parameters.

There you go. Now you have a very secure server. If you are still not satisfied, here’s a crazy idea; “Port Knocking”.

Finally, I must thank and give credit to people who contributed with many of these information for me.

Tweet This Post