More secure but easy ways to access SSH server
Except User name and Password, which is hard to remember if you don't want others guess it easily, there are other easy ways to protect SSH server.
This is most a simple way, just generate a pair of key,
If need more secure, generate 4096 bit RSA key
ssh-keygen -t rsa -b 4096
Then inject public key in
.ssh/id_rsa.pub into remote
- Needs to perform for every user
- Needs to inject public keys of clients into all target servers
- No expiration
Refer to Signed SSH Certificates using Hashicorp Vault in Practice
Use free software, hashicorp vault to manage signed certificate.
Inject trusted CA key retrieved from vault into target SSH server configure,
Use authorized token and client private key to generate short life signed certificate
Use signed certificate and client private key login to target server
Note: Only need normal token to generate signed certificate
- Authorized token can be renewed (replaced) after used
- Token never reach Internet, and it can be renewed (replaced) any time
- Signed certificate has short life
Need to save a token
Refer to Enable 2FA for Ubuntu
- Only need a 2FA software, and adding digits after key in password
- Short life of digits
LDAP or Kerberos
Instead of all servers maintain their own password, passwords are centrally managed by authentication server.
- Every server needs connection to authentication server
- Cannot login if lost connection to authentication server
- All servers are using same password
One time password
Retrieve password from authentication server, then use it to login to remote server.
Remote server will use it to verify against authentication server.
- Every server needs connection to password server
- Cannot login if lost connection to password server