Linux Tactic

Secure Your Remote Server with Key-Based Authentication and Advanced Control Features

Introduction to SSH Authentication

In today’s digital world, securing your data has become more crucial than ever before. One of the most common ways of securing access to a remote server is through SSH (Secure Shell) authentication.

SSH authentication is a cryptographic network protocol that allows a user to establish a secure connection with a remote server. In this article, we will discuss three methods of SSH authentication, their security risks, and how to configure key-based authentication.

Methods of Authentication

SSH authentication uses one of three methods: password-based authentication, key-based authentication, or host-based authentication.

Password-based Authentication

A password is perhaps the most common method of authentication users choose when logging into a remote server. With password-based authentication, you enter your username and password, which are verified against the server’s user database.

However, this method has its risks, as passwords can be easily guessed or intercepted through brute-force attacks.

Security risks associated with passwords

Brute-force attacks, also known as password guessing attacks, rely on trial and error to crack a password. Hackers use software and hardware tools to try millions of password combinations until they find the right one.

To mitigate this risk, system administrators should enforce strong password policies and encourage users to use complex passwords.

Key-based Authentication

Key-based authentication uses a pair of cryptographic keys, a private key, and a public key. The private key is kept on the user’s device, while the public key is uploaded on the remote server.

When the user connects to the server, the server can authenticate the user by verifying the public key provided by the user’s device.

Benefits of key-based authentication

One of the most significant benefits of key-based authentication is that it eliminates the need for passwords; thus, eliminating the security risks associated with passwords. The private key is encrypted with a passphrase, which is used to unlock the key when needed.

This passphrase acts as an additional layer of security. Additionally, a user can add their public key to the authorized_keys file on the remote server, allowing them to log in from multiple devices without having to upload their public key each time.

Host-based Authentication

Host-based authentication uses the remote server’s host key to authenticate the user. Each server has a unique host key, which is automatically generated when the SSH server is installed.

However, this method is not commonly used, as it does not provide the flexibility of the other two methods.

Setting up key-based Authentication

Now that we are aware of the three methods of authentication available let us dive into the steps involved in setting up key-based authentication. Step 1: Configuring the /etc/ssh/sshd_config file on the server

We first need to edit the /etc/ssh/sshd_config file on the remote server and ensure that password-based authentication is disabled by modifying the PasswordAuthentication to “no”.

Step 2: Generating public and private keys

Next, we should generate both the public and private keys on the user’s device with the ssh-keygen command. The user will also have to provide a passphrase to encrypt the private key, which adds an additional layer of security.

Step 3: Copying the public key to the server

Once the keys are generated, the user needs to copy the public key to the remote server. This can be done using the ssh-copy-id command, which automatically updates the authorized_keys file on the remote server.

Step 4: Permissions for the /.ssh folder, private/public keys, and authorized_keys file

It is essential to ensure that the proper permissions are set for the /.ssh folder, private/public keys, and authorized_keys file to prevent unauthorized access to the user’s files. The folder and files must only be accessible by the user.

Step 5: Adding multiple public keys manually

If a user wants to log in from multiple devices, they must add each public key to the authorized_keys file on the remote server manually. The public keys can be separated by a newline or return.

Conclusion

In conclusion, key-based authentication is a recommended way of securing a remote server. Password-based authentication is easily prone to brute-force attacks, and host-based authentication is not recommended for flexibility reasons.

Key-based authentication offers an extra layer of security with a passphrase and eliminates the need for passwords. It is imperative to ensure that the proper permissions are set for the folder and files during the key-based authentication process.

With these measures, one can safeguard and secure their remote servers effectively.

Advanced features of authorized_keys file

In the previous section, we discussed how to set up key-based authentication and its benefits. However, the authorized_keys file has additional features that can further enhance a user’s control and management of remote server access.

In this section, we will discuss two advanced features of the authorized_keys file, namely the forced command and executable script. Restricting access to a single command using “forced command”

In some cases, a user may want to allow access to a specific command on the remote server, without granting full shell access.

In such cases, a forced command can be used to limit a user to a specific command only. Forced command refers to the command that is executed on the server after the user has successfully authenticated themselves.

The command is specified in the authorized_keys file alongside the public key. The user can only execute the command specified in the forced command statement, and any attempts to execute other commands would fail.

For example, if a user wants to grant access to a backup script on the remote server, they can specify the script in the authorized_keys file like this:

command=”/usr/local/bin/backup_script” ssh-rsa AAAAB3NzaC1yc2EA… In this case, the user can only execute the backup_script on the remote server and cannot access any other commands or files.

Using a bash script to put multiple commands under one authorized key

Sometimes, a user may wish to execute multiple commands on a remote server using a single authorized key. This can be achieved by using a bash script, which can contain multiple commands that the user can execute.

To use a bash script as an authorized key, the script must be executable, and the public key must reference the script’s path. First, create a bash script with the commands that the user needs to execute.

Let us assume that the script is called ssh_script.sh and contains the following code:

#!/bin/bash

echo “This is the first command”

echo “This is the second command”

echo “This is the third command”

Next, make the script executable with the following command:

chmod +x ssh_script.sh

Finally, add the public key to the authorized_keys file and reference the path to the script. The authorized_keys file would now look like this:

command=”/home/user/ssh_script.sh” ssh-rsa AAAAB3NzaC1yc2EA…

Now, when the user logs in using the authorized key, the ssh_script.sh script is executed, and the user can execute all commands within the script.

Conclusion

In conclusion, key-based authentication is a safe, easy, and quick way of securing remote servers, and it has advanced features that enhance its functionality and control. The authorized_keys file’s forced command feature allows a user to limit access to a single command, while the executable script feature allows a user to execute multiple commands using a single authorized key.

With these features, users can enhance their security and control over servers, ensuring that the right people have access to the right data and functionalities. In conclusion, key-based authentication is a recommended way of securing remote servers with its robust security and advanced control features.

SSH authentication offers three methods of authentication: password-based authentication, key-based authentication, and host-based authentication. Password-based authentication is easy to crack because of brute-force attacks, while host-based authentication is not flexible.

On the other hand, key-based authentication provides an extra layer of security with a passphrase and eliminates password security risks. This article discussed setting up key-based authentication and its benefits.

Additionally, we covered advanced features of the authorized_keys file, including forced commands and executable scripts. By implementing these features, users can promote safety and have more control over their remote servers.

The takeaway from this article is that users who keep the proper permissions for the folder, files, and the authorized_keys file can securely work on remote servers.

Popular Posts