Skip to main content

secure ssh access using keys

In order to secure SSH access to a newly deployed Linux server it is highly recommended you disable password based SSH logins and instead force key based logins as it practically eliminates the possibility of a brute force login attack being successful. There are a few steps to setting this up which I go through below.

Stage 1: Account Setup

We're assuming the only account on first boot is root so first thing we need to do is create a new user for remote access and give it sudo privileges.

useradd -m srvadmin
passwd srvadmin
usermod -a -G sudo srvadmin

Stage 2: Key Setup

On your local machine or whatever machine you will be connecting to the server from, create a key pair for use in authenticating to the server. Then we copy the public key to the remote server under the user we created earlier (srvadmin). In the example below we user ssh-copy-id to copy the public key over but it could be done manually too.

ssh-keygen -f ~/.ssh/srv02_key

ssh-copy-id -i .ssh/ srvadmin@srv02

Stage 3: Testing

Leaving the current session from Stage 1 running, start a new session logging in with the new account. If everything went well we will not be asked for a login password as it will first try using our key to authenticate, note if you set a password to protect your key you will be asked for that.

We then run any command with sudo to confirm we have successful remote access to the server and can perform admin tasks without using the root account.

ssh srvadmin@srv02

sudo ls /var/log

Stage 4: SSH Lock-down

Once everything worked at the above stages we now need to do two things to lock down the sever. First we disable ssh password logins and second we disable root access over ssh. For these reasons it is imperative you test your remote access using the none-root account before disabling root access over ssh.

Set the two parameters below in the /etc/ssh/sshd_config config file then restart the sshd service

sudo vi /etc/ssh/sshd_config

PermitRootLogin no
PasswordAuthentication no

sudo systemctl restart sshd

To test you can exit from the root session from Stage 1 and try connecting again, you should receive an error. e.g.:

root@srv02: Permission denied (publickey).