4.2.2. Secure Shell

⁠4.2.2. Secure Shell

Secure Shell (SSH) is a powerful network protocol used to communicate with another system over a secure channel. The transmissions over SSH are encrypted and protected from interception. Cryptographic log-on can also be utilized to provide a better authentication method over traditional usernames and passwords.

SSH is very easy to activate. By simply starting the sshd service, the system will begin to accept connections and will allow access to the system when a correct username and password is provided during the connection process. The standard TCP port for the SSH service is 22, however this can be changed by modifying the configuration file /etc/ssh/sshd_config and restarting the service. This file also contains other configuration options for SSH.

Secure Shell (SSH) also provides encrypted tunnels between computers but only using a single port. Port forwarding can be done over an SSH tunnel and traffic will be encrypted as it passes over that tunnel but using port forwarding is not as fluid as a VPN.

⁠4.2.2.1. Cryptographic Logon

SSH supports the use of cryptographic keys to login to a computer. This is much more secure than using a password and if setup properly could be considered multifactor authentication.

A configuration change must occur before cryptographic logon can occur. In the file /etc/ssh/sshd_config uncomment and modify the following lines so that appear as such:

PubkeyAuthentication yes
AuthorizedKeysFile	.ssh/authorized_keys

The first line tells the SSH program to allow public key authentication. The second line points to a file in the home directory where the public key of authorized key pairs exists on the system.

The next thing to do is to generate the ssh key pairs on the client you will use to connect to the system. The command ssh-keygen will generate an RSA 2048-bit key set for logging into the system. The keys are stored, by default, in the ~/.ssh directory. You can utilize the switch -b to modify the bit-strength of the key. A 2048-bit certificate only provides 112 bits of security. To get 128 bits of security requires a 3072-bit certificate and to get 256 bits of security one must use a 15,360-bit certificate. Elliptical certificates (ECDSA) and elliptical ciphers can increase the security to 256 bits with smaller certificates.

In your ~/.ssh directory you should see the two keys you just created. If you accepted the defaults when running the ssh-keygen then your keys are named id_rsa and id_rsa.pub, the private and public keys. You should always protect the private key from exposure. The public key, however, needs to be transfered over to the system you are going to login to. Once you have it on your system the easiest way to add the key to the approved list is by:

$ cat id_rsa.pub >> ~/.ssh/authorized_keys

This will append the public key to the authorized_key file. The SSH application will check this file when you attempt to login to the computer.

Similarly to passwords and any other authentication mechanism, you should change your SSH keys regularly. When you do make sure you clean out any unused key from the authorized_key file.