[LUAU] Excellent SSH advice

R. Scott Belford scott at hosef.org
Fri Dec 17 12:53:51 PST 2004 

In monitoring the K12OSN list, the following piece of SSH advice was 
eloquently shared by a gentleman by the name of Rob Owens.  It is so 
good that it *must* be shared.


Quoted from Rob Owens

"The topic of ssh security was touched upon in the "uh oh" thread.  I 
have a couple comments about it.

I recommend disabling password authentication in sshd_config:
PasswordAuthentication no

How then will the user be authenticated?  Using keys.
PubkeyAuthentication yes

Any user who wishes to use ssh must generate a key using the ssh-keygen 
utility.  Note that the key can utilize a passphrase if desired.

The advantages of this setup are as follows:

Suppose I am a hacker.  I see that your server is listening for ssh 
attempts.  I start attempting at guessing usernames.  If I manage to 
guess that you have a user named "John", then I need to guess has 
password.  Unless John doesn't even have a password!  To cover this 
scenario, your sshd_config file should contain this line (I believe it 
is the default in most systems):
PermitEmptyPasswords no

So I guess that John's password is "computer2004" and now I'm in.  But 
if password authentication was disabled, I'd need to have John's key.  A 
key is a large (I forget how many bits), seemingly random string of 
characters.  If I managed to steal a copy of John's key somehow (maybe 
it was on a floppy disk that I stole from him), I would still need to 
guess his passphrase in order to activate the key.  This is of course 
assuming he used a passphrase when he generated the key.


Your regular user password needs to be secure enough to keep people with 
physical access to your machines from logging in as you.  You might feel 
comfortable with a password that is 10 characters long.  But ssh allows 
anybody on the internet to try to log in as you.  For this you might not 
be satisfied with a 10 character password and instead require 20 or 30 
characters.  But a 30 character password is a pain in the neck to type 
in every time you log into your machine.  This is why keys and 
passphrases are so great.  You have extra protection for remote access, 
but you are not hassled when trying to log in locally.  Your ssh 
passphrase can be 30 characters long, and you can keep your 10 character 
local password.


Some other precautions to take with ssh are:

LoginGraceTime -- the default is 120 (seconds) but you can shorten it. 
This gives a hacker less time to guess at your passwords, keys, or 
passphrases before he is forced to re-initiate contact w/ your server.

MaxStartups
This is the maximum # of unauthenticated users who can attempt 
authentication at the same time.  The default is 10 on my system.  Keep 
this to a reasonable amount so that a hacker cannot run 50 simultaneous 
attempts that are all working in unison, guessing login names and 
passwords.  If the admin is the only one using ssh, then setting this to 
1 would be good.  Note that this does not control the maximum 
simultaneous ssh sessions, just the maximum simultaneous connection 
attempts.

PermitRootLogin no
Every hacker knows there is a user named "root" on your system.  Don't 
allow root to ssh.  Instead, ssh as your regular user and then su to 
become root.  The hacker will then need to guess 2 sets of passwords in 
order to do get root access.

AllowGroups
AllowUsers
These options are self-explanatory.  If the administrator is the only 
one who needs to use ssh, then don't allow anybody else access.  That 
makes for a lower number of valid login names for a hacker to guess at.

One more note about keys:

ssh uses keys for its data encryption and as a way to verify the 
identity of the machines.  These are the files you'll find in /etc/ssh. 
  These keys are typically generated automatically by the ssh package 
you install.  This is different that the keys I referred to above.  The 
keys I'm talking about are used for user authentication, and they are 
found in the appropriate subdirectories of ~/.ssh on the local and 
remote machines.

I'm not an expert on this, I've just read up on it a bit.  If I've left 
anything out or made any mistakes, somebody please post it."

Quoted from Rob Owens

More information about the LUAU mailing list