Securing SSH

Secure Shell (SSH) is a powe rful ne twork protocol us e d to communicate with anothe r s ys te m ove r a s e cure channe l. The trans mis s ions ove r SSH are e ncrypte d and prote cte d

from inte rce ption. Se e the Ope nSSH chapte r of the Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide for ge ne ral information about the SSH protocol and about us ing the SSH s e rvice in Re d Hat Ente rpris e Linux 7.

Important

This s e ction draws atte ntion to the mos t common ways of s e curing an SSH s e tup. By no me ans s hould this lis t of s ugge s te d me as ure s be cons ide re d e xhaus tive or de finitive . Se e sshd_config(5) for a de s cription of all configuration dire ctive s available for modifying the be havior of the sshd dae mon and to ssh(1) for an e xplanation of bas ic SSH conce pts .

4.3.10.1. Cryptographic Login

SSH s upports the us e of cryptographic ke ys for logging in to compute rs . This is much more s e cure than us ing only a pas s word. If you combine this me thod with othe r authe ntication me thods , it can be cons ide re d a multi-factor authe ntication. Se e Se ction 4.3.10.2, “Multiple Authe ntication Me thods ” for more information about us ing multiple authe ntication me thods . In orde r to e nable the us e of cryptographic ke ys for authe ntication, the

PubkeyAuthentication configuration dire ctive in the /etc/ssh/sshd_config file ne e ds to be s e t to yes. Note that this is the de fault s e tting. Se t the PasswordAuthentication dire ctive to no to dis able the pos s ibility of us ing pas s words for logging in.

SSH ke ys can be ge ne rate d us ing the ssh-keygen command. If invoke d without additional argume nts , it cre ate s a 2048-bit RSA ke y s e t. The ke ys are s tore d, by de fault, in the

~/.ssh dire ctory. You can utilize the -b s witch to modify the bit-s tre ngth of the ke y. Us ing 2048-bit ke ys is normally s ufficie nt. The Configuring Ope nSSH chapte r in the Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide include s de taile d information about ge ne rating ke y pairs .

You s hould s e e the two ke ys in your ~/.ssh dire ctory. If you acce pte d the de faults whe n running the ssh-keygen command, the n the ge ne rate d file s are name d id_rsa and

id_rsa.pub and contain the private and public ke y re s pe ctive ly. You s hould always prote ct the private ke y from e xpos ure by making it unre adable by anyone e ls e but the file 's

owne r. The public ke y, howe ve r, ne e ds to be trans fe rre d to the s ys te m you are going to log in to. You can us e the ssh-copy-id command to trans fe r the ke y to the s e rve r:

~]$ ssh-copy-id -i [user@]server

This command will als o automatically appe nd the public ke y to the

~/.ssh/authorized_key file on the server. The sshd dae mon will che ck this file whe n you atte mpt to log in to the s e rve r.

Similarly to pas s words and any othe r authe ntication me chanis m, you s hould change your SSH ke ys re gularly. Whe n you do, make s ure you re move any unus e d ke ys from the authorized_key file .

4.3.10.2. Multiple Authentication Methods

Us ing multiple authe ntication me thods , or multi-factor authe ntication, incre as e s the le ve l of prote ction agains t unauthorize d acce s s , and as s uch s hould be cons ide re d whe n

harde ning a s ys te m to pre ve nt it from be ing compromis e d. Us e rs atte mpting to log in to a s ys te m that us e s multi-factor authe ntication mus t s ucce s s fully comple te all s pe cifie d

authe ntication me thods in orde r to be grante d acce s s .

Us e the AuthenticationMethods configuration dire ctive in the /etc/ssh/sshd_config file to s pe cify which authe ntication me thods are to be utilize d. Note that it is pos s ible to de fine more than one lis t of re quire d authe ntication me thods us ing this dire ctive . If that is the cas e , the us e r mus t comple te e ve ry me thod in at le as t one of the lis ts . The lis ts ne e d to be s e parate d by blank s pace s , and the individual authe ntication-me thod name s within the lis ts mus t be comma-s e parate d. For e xample :

AuthenticationMethods publickey,gssapi-with-mic publickey,keyboard-interactive

An sshd dae mon configure d us ing the above AuthenticationMethods dire ctive only grants acce s s if the us e r atte mpting to log in s ucce s s fully comple te s e ithe r publickey authe ntication followe d by gssapi-with-mic or by keyboard-interactive authe ntication.

Note that e ach of the re que s te d authe ntication me thods ne e ds to be e xplicitly e nable d us ing a corre s ponding configuration dire ctive (s uch as PubkeyAuthentication) in the /etc/ssh/sshd_config file . Se e the AUTHENTICATION s e ction of ssh(1) for a ge ne ral lis t of available authe ntication me thods .

4.3.10.3. Other Ways of Securing SSH

Pro t o co l Versio n

Eve n though the imple me ntation of the SSH protocol s upplie d with Re d Hat

Ente rpris e Linux 7 s upports both the SSH-1 and SSH-2 ve rs ions of the protocol, only the latte r s hould be us e d whe ne ve r pos s ible . The SSH-2 ve rs ion contains a numbe r of

improve me nts ove r the olde r SSH-1, and the majority of advance d configuration options is only available whe n us ing SSH-2.

Us e rs are e ncourage d to make us e of SSH-2 in orde r to maximize the e xte nt to which the SSH protocol prote cts the authe ntication and communication for which it is us e d. The

ve rs ion or ve rs ions of the protocol s upporte d by the sshd dae mon can be s pe cifie d us ing the Protocol configuration dire ctive in the /etc/ssh/sshd_config file . The de fault

s e tting is 2.

Key T ypes

While the ssh-keygen command ge ne rate s a pair of SSH-2 RSA ke ys by de fault, us ing the -t option, it can be ins tructe d to ge ne rate DSA or ECDSA ke ys as we ll. The ECDSA (Elliptic Curve Digital Signature Algorithm) offe rs be tte r pe rformance at the s ame e quivale nt s ymme tric ke y le ngth. It als o ge ne rate s s horte r ke ys .

No n-Def ault Po rt

By de fault, the sshd dae mon lis te ns on the 22 ne twork port. Changing the port re duce s the e xpos ure of the s ys te m to attacks bas e d on automate d ne twork s canning, thus

incre as ing s e curity through obs curity. The port can be s pe cifie d us ing the Port dire ctive in the /etc/ssh/sshd_config configuration file . Note als o that the de fault SELinux policy mus t be change d to allow for the us e of a non-de fault port. You can do this by modifying the ssh_port_t SELinux type by typing the following command as root:

~]# semanage -a -t ssh_port_t -p tcp port_number

In the above command, re place port_number with the ne w port numbe r s pe cifie d us ing the Port dire ctive .

No Ro o t Lo gin

Provide d that your particular us e cas e doe s not re quire the pos s ibility of logging in as the root us e r, you s hould cons ide r s e tting the PermitRootLogin configuration dire ctive to no in the /etc/ssh/sshd_config file . By dis abling the pos s ibility of logging in as the root us e r, the adminis trator can audit which us e r runs what privile ge d command afte r the y log in as re gular us e rs and the n gain root rights .