Table of Contents
More secure but easy ways to access SSH server
Except User name and Password, which is hard to remember if you don't want others guess it easily, there are other easy ways to protect SSH server.
Public Key
Steps
This is most a simple way, just generate a pair of key,
ssh-keygenIf need more secure, generate 4096 bit RSA key
ssh-keygen -t rsa -b 4096Then inject public key in .ssh/id_rsa.pub into remote .ssh/authorized_keys
Cons
- Needs to perform for every user
- Needs to inject public keys of clients into all target servers
- No expiration
Signed Certificate
Steps
Refer to Signed SSH Certificates using Hashicorp Vault in Practice
-
Use free software, hashicorp vault to manage signed certificate.
-
Inject trusted CA key retrieved from vault into target SSH server configure,
-
Use authorized token and client private key to generate short life signed certificate
-
Use signed certificate and client private key login to target server
Note: Only need normal token to generate signed certificate
- Authorized token can be renewed (replaced) after used
Pros
- Token never reach Internet, and it can be renewed (replaced) any time
- Signed certificate has short life
Cons
Need to save a token
2FA
Steps
Refer to Enable 2FA for Ubuntu
Pros
- Only need a 2FA software, and adding digits after key in password
- Short life of digits
LDAP or Kerberos
Instead of all servers maintain their own password, passwords are centrally managed by authentication server.
Cons
- Every server needs connection to authentication server
- Cannot login if lost connection to authentication server
- All servers are using same password
One time password
Retrieve password from authentication server, then use it to login to remote server.
Remote server will use it to verify against authentication server.
Cons
- Every server needs connection to password server
- Cannot login if lost connection to password server