How to establish a secure SSH connection?


1 Overview

useSSHConnecting to the server is a common thing, but whether the connection is safe enough is a worrying problem. This paper introduces how to establish a sufficiently secure network from the following aspectsSSHconnect:

  • port
  • agreement
  • user
  • password
  • Key pair
  • ssh-agent

2 ports

The first step is to modify the default port22, modify/etc/ssh/sshd_configMediumPortFor example, it can be modified here1234Port:

Port 1234

Note the need herecoordinationSELinuAdd a port, otherwise it cannot be startedsshdservice, inCentOS8Can passsemanageTo add a port, first check whether it is installedpolicycoreutils-python-utils

rpm -qa | grep policycoreutils-python-utils

Use if not installedyumInstallation:

sudo yum install policycoreutils-python-utils

Then addsshPort:

sudo semanage port -m -t ssh_port_t -p tcp 1234

Check whether it is added successfully:

sudo semanage port -l | grep ssh 

How to establish a secure SSH connection?

3 SSHagreement

SSH2The agreement is better thanSSH1Therefore, it is recommended to modify the configuration file as follows:

Protocol 2 # if not, add it at the end

Note server addProtocol 2After,The client also needs to/etc/ssh/sshd_configAdd inProtocol 2

4 timeout disconnection

Change to60sAutomatic disconnection without operation:

ClientAliveInterval 60 
#In seconds, it is automatically disconnected if it is not operated for more than 60s

ClientAliveCountMax 0 
#If the client does not respond, it will judge a timeout. This parameter sets the number of times allowed to timeout

5 restricted users

5.1 disableRootUser login

PermitRootLogin no

5.2 designated user login

AllowUsers testuser

This can only be done throughssh [email protected]Connect to the server.

In addition, you can add a specified value for the useripFor example, the author’s local Intranetipby192.168.1.7, amend to read:

AllowUser [email protected]

So otheripYou can’t log in.

5.3 disable specific user login

DenyUser testuser

No AdmittancetestuserSign in.

Similar configurations areAllowGroupsAndDenyGroups

6 password

6.1 disable (empty) password login

PermitEmptyPasswords no
PasswordAuthentication no

6.2 number of errors

MaxAuthTries 6

The default is maximum allowed3The password is incorrect (except 2), and it is modified to2It means that if the password is entered incorrectly once, it will be disconnected automatically.

7 log


Default toINFO, amend toVERBOSEMore detailed information can be obtained.

8 key pair

8.1 generating key pairs

It has been set that you cannot log in with a password. In other words, you need to log in with a key. It is not difficult to generate a key:

ssh-keygen -t rsa 

You only need to specify the algorithm. The default is3072Bit, optional4096Bit.

However, compared with the traditionalRSA, inOpenSSH 6.5Another method calledEd25519A more secure algorithm using elliptic curve encryption.Ed25519CompareRSAThe advantages are:

  • Smaller size: compared withRSA 3072Yes544Characters,Ed25519only68Characters
  • Faster: build faster thanRSAFaster and faster thanRSAfast
  • More secure: the signature process does not rely on the random number generator, does not rely on the anti-collision characteristics of hash function, and has no problem of time channel attack

The generation method is simple:

ssh-keygen -a 100 -t ed25519 -f ~/.ssh/ed25519

The parameters are described as follows:

  • -a: specifyKDFKey Derivation Function)Number of rounds
  • -t: specify the algorithm, optionaldsaecdsaecdsa-sked25519ed25519-skrsa
  • -f: specify location

Copy the public key after generation:

ssh-copy-id [email protected] -i ~/.ssh/

8.2 private key password

For example, when the key pair is generated in the above way, you will be prompted to enter the private key password:

How to establish a secure SSH connection?

The password here will prompt when connecting with the private key:

How to establish a secure SSH connection?

8.3 using different key pairs

Suppose you have multiple servers:server1server2server3, you can use different key pairs for different servers instead of the same key pair:

ssh-keygen -a 100 -t ed25519 -f ~/.ssh/server1
ssh-keygen -a 100 -t ed25519 -f ~/.ssh/server2
ssh-keygen -a 100 -t ed25519 -f ~/.ssh/server3

Then copy the public key to the corresponding server:

ssh-copy-id [email protected] -i ~/.ssh/
ssh-copy-id [email protected] -i ~/.ssh/
ssh-copy-id [email protected] -i ~/.ssh/

9 ssh-agent

9.1 what is this?

ssh-agentIs a program that helps manage private keys. The agent can provide the following purposes:

  • Automatic key selection: when using different keys to connect to different hosts, you need to manually specify the key (such as the one above)Use different key pairsIn the example of, when connecting to different servers, you need to add-iParameters),ssh-agentIt can be selected automatically without manual assignment
  • Automatically enter the private key password: if the private key is set with a key (such as the one above)Private key passwordExample), but when the private key needs to be used frequently for authentication,ssh-agentCan help you automatically enter the password for the private key

9.2 use

Start first:

Eval ` SSH agent '# note that it is a backquote

Then add the private key:

#Take "use different key pairs" above as an example
ssh-add ~/.ssh/server1
ssh-add ~/.ssh/server1
ssh-add ~/.ssh/server1

In this way, there is no need to specify manually when connecting-iParameters.

If the private key specifies a password, thessh-addPrompt when entering:

How to establish a secure SSH connection?

This eliminates the need to enter a password the next time you connect using a private key with a key.

10 2FA

Two-Factor Authentication, abbreviation2FA, meaningDual authenticationTwo factor authenticationAs the name suggests, it is a two-step authentication operation. The optional applications are:

  • Google Authenticator
  • Authy
  • Yubico
  • Duo

such asGoogle Authenticator, after installation, you need to enter the verification code to connect to the server.

I won’t demonstrate it specifically, because the author needs to connect frequently, so this option is not practical for the author. If you want to implement it, you can refer to ithere

11 reference

Recommended Today

Hot! Front and rear learning routes of GitHub target 144K

Hello, Sifu’s little friend. I’m silent Wang Er. Last week, while appreciating teacher Ruan Yifeng’s science and technology weekly, I found a powerful learning route, which has been marked with 144K on GitHub. It’s very popular. It covers not only the front-end and back-end learning routes, but also the operation and maintenance learning routes. As […]