Friday, April 3, 2015

Securing the SSH server

This is my checklist of TODO things to make my SSH daemons more "Internet-ready":

1. Copy my public key to the remote host:
ssh-copy-id remote_host

2. Login on the remote host

ssh remote_host

3. Edit the /etc/ssh/sshd_config file and change the following configuration options:

ChallengeResponseAuthentication no
LoginGraceTime 30
MaxStartups 2:30:10
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
UsePAM no

4. Restart the SSH daemon, but don't disconnect the SSH session:

sudo service ssh restart

5. Open another shell and verify that pubkey authentication now works:

ssh -v remote_host

6. Observe that:
- Now I logged without typing my password
- The SSH client printed the following message:

debug: Authentication succeeded (publickey)

That's it.