Secure Shell (SSH) is a powerful network protocol used to communicate with another system over a secure channel. The transmissions over SSH are encrypted and protected from interception. Cryptographic log-on can also be utilized to provide a better authentication method over traditional usernames and passwords.
SSH is very easy to activate. By simply starting the sshd service, the system will begin to accept connections and will allow access to the system when a correct username and password is provided during the connection process. The standard TCP port for the SSH service is 22, however this can be changed by modifying the configuration file /etc/ssh/sshd_config and restarting the service. This file also contains other configuration options for SSH.
4.2.2.1. Cryptographic Logon
SSH supports the use of cryptographic keys to login to a computer. This is much more secure than using a password and if setup properly could be considered multifactor authentication.
A configuration change must occur before cryptographic logon can occur. In the file
/etc/ssh/sshd_config
uncomment and modify the following lines so that appear as such:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
The first line tells the SSH program to allow public key authentication. The second line points to a file in the home directory where the public key of authorized key pairs exists on the system.
The next thing to do is to generate the ssh key pairs on the client you will use to connect to the system. The command
ssh-keygen
will generate an RSA 2048-bit key set for logging into the system. The keys are stored, by default, in the
~/.ssh
directory. You can utilize the switch
-b
to modify the bit-strength of the key. A 2048-bit certificate only provides 112 bits of security. To get 128 bits of security requires a 3072-bit certificate and to get 256 bits of security one must use a 15,360-bit certificate. Elliptical certificates (
ECDSA) and elliptical ciphers can increase the security to 256 bits with smaller certificates.
In your
~/.ssh
directory you should see the two keys you just created. If you accepted the defaults when running the
ssh-keygen
then your keys are named
id_rsa
and
id_rsa.pub
, the private and public keys. You should always protect the private key from exposure. The public key, however, needs to be transfered over to the system you are going to login to. Once you have it on your system the easiest way to add the key to the approved list is by:
$ cat id_rsa.pub >> ~/.ssh/authorized_keys
This will append the public key to the authorized_key file. The
SSH application will check this file when you attempt to login to the computer.
Similarly to passwords and any other authentication mechanism, you should change your SSH keys regularly. When you do make sure you clean out any unused key from the authorized_key file.