How To Secure Your OpenSSH 6.2+ Server

Relearning Secure Authentication

Before we even get started on securing OpenSSH you need to make sure your overall security strategy makes sense. Are you securing actual sensitive information or are you just worried about someone snooping your connection? This tutorial assumes you are protecting sensitive data and require very high security to access the server (and its data).

First thing’s first; Forget about traditional password login. Usernames and Passwords are no longer secure enough to be used as a primary security layer (only as a secondary factor). You need to be using Public Key Cryptography (PKI) if you want to do any remotely secure authentication into a server. If you need help getting started using PKI for remote access, please check out another article on Joscor.com that will walk you through that process using hardware tokens: Securing OpenSSH with WWPass PassKey .  If hardware tokens aren’t your thing, browse the web for how to create (and import) certificates.  Be warned though, if you are not using a hardware token with a Secure Element you put yourself at risk of having your keys stolen from wherever you end up storing them.

OpenSSH 6.2+ added some cool new features around hardening and secure authentication. Most importantly, they added support for cascading or layered authentication (combining different authentication schemes for Multi-Factor Authentication).  You can read more about it here: http://lwn.net/Articles/544640/

 

Installing OpenSSH In Ubuntu

Getting started with OpenSSH is extremely easy and requires two commands at the shell (as root). This installs the OpenSSH server package as well as lists of known vulnerable OpenSSH keys (“blacklist keys”) to check against to make sure the keys you use are OK for use.

# apt-get update;
# apt-get install openssh-server openssh-blacklist openssh-blacklist-extra;

 

Allow Authorized Users (Pubkey)

This tutorial assumes you know a bit about public keys and have them generated already for use. If you’re not familiar with PKI or how to configure the authorized_keys file in Linux, please read through Securing OpenSSH with WWPass PassKey and (if your server uses encrypted home directories) Putty SSH “Server refused our key” Fix. Basically, you should now have your authorized_keys file(s) set up with public keys of the users you want to grant access to.

 

Hardened OpenSSH Server Config Example

Edit /etc/ssh/sshd_config as root/sudo and replace it with the following config. Some settings may not be relevant to your environment but it’s a great starting point for a secure OpenSSH server config. Comments in the example outline what you can tweak and how it works line-by-line.

# TCP port to bind to
# Change to a high/odd port if this server is exposed to the internet directly

Port 22

# Bind to all interfaces (change to specific interface if needed)
ListenAddress 0.0.0.0

# Force SSHv2 Protocol
Protocol 2

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

# Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Deny all other users besides the following
AllowUsers jcornutt

# Client timeout (5 minutes)
ClientAliveInterval 300
ClientAliveCountMax 0

# Compression (only after authentication)
Compression delayed

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication must happen within 30 seconds
LoginGraceTime 30

# Disable root SSH access
PermitRootLogin no
PermitEmptyPasswords no

# Check user folder permissions before allowing access
StrictModes yes

# Public key authentication + Password authentication
# Two-Factor Authentication in OpenSSH v6.2+
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication yes
AuthenticationMethods publickey,password

# Change this depending on where your authorized_keys file is
# This is set as a workaround when using encrypted home directories
# Link: https://joscor.com/2013/05/putty-server-refused-our-key/
AuthorizedKeysFile /etc/ssh/keys/%u/authorized_keys

# Message Authentication Code (Hash, only SHA2-512)
# SHA-256 included for compat with PuTTY-WinCrypt clients
MACs hmac-sha2-512,hmac-sha2-256

# Ciphers (only secure AES-256)
Ciphers aes256-cbc,aes256-ctr

# Key Exchange algorithms (Elliptic Curve Diffie-Hellman)
# DH-SHA-256 included for compat with PuTTY-WinCrypt clients
KexAlgorithms ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

# Don’t read the user’s ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# Disable unused authentication schemes
RhostsRSAAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
UsePAM no

# X11 support
X11Forwarding no

# Don’t show Message of the Day
PrintMotd no

# TCPKeepAlive (non-tunneled, disabled)
TCPKeepAlive no

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

 

The End Result

With this setup, a user attempting to log into this OpenSSH server will need to provide a valid username, a valid PKI private key that matches the user’s authorized public key, and finally, the user’s password.  Without any one of these authentication factors, the user will not be allowed access to the server.  That’s pretty good security if you ask me. 🙂

OpenSSH Two-Factor Authentication

Using Multi-Factor Authentication with OpenSSH 6.2

Pin It on Pinterest

Share This