What is a good way to make key only ssh authentication practical

f4hy · 2010-01-05 19:56:22

I am looking for some advice about ssh key management.

Basically all work I do I ssh into my desktop at home. I store everything there and being able to SSH in is amazing that I can work from anywhere. I started noticing that my desktop was under constant brute force ssh attacks so I decided to remove password authentication. (I am aware of stuff like port knocking but that seems even less convenient)

Now key authentication is great as long as I am on my netbook, but if I want to use a a friend or family's computer I can no longer access my desktop. One solution is to keep a private key on a flash drive so I can use it anywhere, but I always worry that installing the same private key everywhere I go is not very secure in case I forget to remove it when I am done. Also physically losing the flash drive worries me.

The other solution I have been using is to have a box at work able to access my desktop with keys and then I ssh into it and then hop again to my desktop. This allows me to scp a newly generated public key to my desktop if I want to add a machine but is cumbersome.

I am just curious how other users handle situations like this. Any clever solutions?

rebugger · 2010-01-05 20:00:46

Another hint: change ssh-port to something different than 22.
I did this on my webserver and the bruteforce-attacks (made by bots) went from 500/day to 20/week.

And by the way: choose a good and long password.

seiichiro0185 · 2010-01-06 06:32:36

For accessing my Machines from (Windows-)Machines I use the portable putty client from www.portableapps.com It's on my flash drive along with a private key (that has a strong password so losing it won't be that dramatic). It runs completely off the flash drive and doesn't store anything on the Machine, so the key always stays only on the flash drive. Unfortunalety I haven't found a solution like this for linux machines so far (But most people where I would need this are running windows on their machines anyways).

And I also recommend changing the ssh-port to something different than 22 like rebugger said. It really reduces the brute-force attacks since most bots attack only port 22

Zeist · 2010-01-06 07:04:01

Also, besides from changing the port I would set it so that it ignores login attempts from an IP for a minute or so if it's failed to login once, that tends to also help discourage people.

firecat53 · 2010-01-06 15:55:38

1. +1 Change your ssh port!!
2. I have a flash drive with two partitions -- first is vfat partition with docs and some portable apps installed as seiichiro0185 said -- putty with the strong private key. Second partition is larch install so I can boot into arch and work from the flash drive with my usual tools if possible -- then I have all my normal ssh configs, keys and have ssh-agent running for convenience -- and no tracks left on the host machine. Someone who got ahold of your flash drive would really need to be knowledgeble to get your private keys......which they still have to crack the passphrase on anyways Just don't accidentally leave your public key on the flash drive, too!
3. On your server also make sure root login is disabled.

Scott

delerious010 · 2010-01-07 04:10:11

I've just been leaving my ssh key in my gmail account with a nice long pass-phrase and I rotate it on a weekly basis. And my servers / VMs all running with LPK patched openssh, so my key's stored in LDAP, which kills all key deployement issues i may have.

One thing though that I've also gotten into the habit of doing with any externally facing ssh, is setting up connection throttling for ssh. By default, I've got iptables ( via shorewall ), limitting ssh connections per IP per minute to a low number to alleviate brute force notifications in my log files.

Most "real" users don't try to establish all that many ssh connections at once anynow, so this doesn't cause a problem. And "power" users ( me ), have SSH configured to reuse the open socket to the host, so the firewall's not seeing any new connections being established anyhow.

.:B:. · 2010-01-07 06:52:51

Allow only certain usernames, and change your port as said. The latter should filter out 99,99% of the bots that scan SSH ports. Key-based authentication is always preferable to password-based, but it can indeed be very inconvenient if you have to access the system from outside your LAN - exposing your key (especially if you did not set a password on it, like some people like to do) is a security risk by itself.

toad · 2010-01-07 09:20:27

Zeist wrote:

Also, besides from changing the port I would set it so that it ignores login attempts from an IP for a minute or so if it's failed to login once, that tends to also help discourage people.

I'd do it for a day or so - but don't know where! A quick google told me about fail2ban but isn't there something one can tweak in /etc/ssh/*.conf?

theDOC · 2010-01-07 10:03:54

maybe you can setup a "guest" account with a 2nd key, that you can take to your friends. The guest account has no rights other than being able to su to your real account. Or, you can setup a 2nd key in your main account, that is protected by a strong password.

e_tank · 2010-01-07 10:54:49

i've done the following simple steps to help thwart ssh brute force attacks on my machine (password auth):
1. changed the default port
2. made sure root login was disabled
3. only allow certain users
4. configured iptables with the script found on the arch wiki simple stateful firewall page, which contains a rule chain for ssh that checks if an ip has made >= 8 connections within 30 mins and if so blocks them out for 30 mins (it resets to 30 mins if they try and connect again during the original ban). since iptables can't distinguish between successful/failed logins i bumped the connection count up a little but other than that my iptables config is nearly identical.

i haven't gotten any brute force ssh attempts, but then again i don't normally allow ssh connections outside my local network. however, i have gotten ftp brute force attempts which have been thwarted by the same iptable rules that i use for ssh.

also, i haven't used it myself yet but you might want to check out denyhosts, which watches your sshd log for brute force attempts and automatically adds them to hosts.deny

Last edited by e_tank (2010-01-07 11:29:46)

Zeist · 2010-01-07 12:00:15

toad wrote:

Zeist wrote:
Also, besides from changing the port I would set it so that it ignores login attempts from an IP for a minute or so if it's failed to login once, that tends to also help discourage people.
I'd do it for a day or so - but don't know where! A quick google told me about fail2ban but isn't there something one can tweak in /etc/ssh/*.conf?

I don't know if there is anything in sshd itself that can do it, I use fail2ban.

delerious010 · 2010-01-07 13:25:37

Hmm pretty sure ssh doesn't have such a facility. Closest thing I could think of would be uaccount disabling via PAM after failed passwords-or-security, but that's really not a good thing when people are doing blind brute force attempts

toad · 2010-01-07 13:44:05

Apparently it isn't necessary anyway. I've put my ssh on a different port an have had NO attacks for over 24 months It is either my magic port or the router has a damn fine firewall...

Arch Linux

#1 2010-01-05 19:56:22

What is a good way to make key only ssh authentication practical

#2 2010-01-05 20:00:46

Re: What is a good way to make key only ssh authentication practical

#3 2010-01-06 06:32:36

Re: What is a good way to make key only ssh authentication practical

#4 2010-01-06 07:04:01

Re: What is a good way to make key only ssh authentication practical

#5 2010-01-06 15:55:38

Re: What is a good way to make key only ssh authentication practical

#6 2010-01-07 04:10:11

Re: What is a good way to make key only ssh authentication practical

#7 2010-01-07 06:52:51

Re: What is a good way to make key only ssh authentication practical

#8 2010-01-07 09:20:27

Re: What is a good way to make key only ssh authentication practical

#9 2010-01-07 10:03:54

Re: What is a good way to make key only ssh authentication practical

#10 2010-01-07 10:54:49

Re: What is a good way to make key only ssh authentication practical

#11 2010-01-07 12:00:15

Re: What is a good way to make key only ssh authentication practical

#12 2010-01-07 13:25:37

Re: What is a good way to make key only ssh authentication practical

#13 2010-01-07 13:44:05

Re: What is a good way to make key only ssh authentication practical

Board footer