More secure but easy ways to access SSH server

Except User name and Password, which is hard to remember if you don't want others guess it easily, there are other easy ways to protect SSH server.

Public Key

Steps

This is most a simple way, just generate a pair of key,

ssh-keygen

If need more secure, generate 4096 bit RSA key

ssh-keygen  -t rsa -b 4096

Then inject public key in .ssh/id_rsa.pub into remote .ssh/authorized_keys

Cons

• Needs to perform for every user
• Needs to inject public keys of clients into all target servers
• No expiration

Signed Certificate

Steps

Refer to Signed SSH Certificates using Hashicorp Vault in Practice

• Use free software, hashicorp vault to manage signed certificate.

• Inject trusted CA key retrieved from vault into target SSH server configure,

• Use authorized token and client private key to generate short life signed certificate

• Use signed certificate and client private key login to target server

Note: Only need normal token to generate signed certificate

• Authorized token can be renewed (replaced) after used

Pros

• Token never reach Internet, and it can be renewed (replaced) any time
• Signed certificate has short life

Cons

Need to save a token

2FA

Steps

Refer to Enable 2FA for Ubuntu

Pros

• Only need a 2FA software, and adding digits after key in password
• Short life of digits

LDAP or Kerberos

Instead of all servers maintain their own password, passwords are centrally managed by authentication server.

Cons

• Every server needs connection to authentication server
• Cannot login if lost connection to authentication server
• All servers are using same password

One time password

Retrieve password from authentication server, then use it to login to remote server.

Remote server will use it to verify against authentication server.

Cons

• Every server needs connection to password server
• Cannot login if lost connection to password server