How can I increase ssh security? Can I require both a key and password?

ssh security

I have a small network of servers and I would like to increase the general security. I don't have enough time/money/paranoia to set up a VPN -- what's a basic way I can increase the security of my system?

One thing could be to require that users both send their key and enter a password. This is kinda hard to google for because everything about "ssh key password" is about sshing without a password. :-)

One scheme I've always wanted to toy with is requiring that incoming connections only come from a whitelist of dyndns ip addresses. I know some security heads would vomit at the thought of the idea, but the fact of the matter is it would add very significant complexity to exploit a box.

What do you think? What else is out there?


The login with password and key is the same as "just with key". During the key creation, you are asked to enter passphrase. If you leave it blank, you won't be asked for a password. If you fill some passphrase, you'll be asked for it everytime when you want to login.

If you are concerned about security, consider some of these advices mentioned trillion times in this forum:

  • Disable ssh login for root
  • Allow ssh access only from defined ip addresses (iptables, hosts.allow,... )
  • Move ssh port to another port (more obscurity then security, but it works)
  • Monitor foreign login attempts and react accordingly
  • Keep your system up-to-date

Etc, etc.

Update: Please refer to the answer here for how to require both a public key and local system password with an OpenSSH server.


One idea I found interesting is port knocking - basically, in order to establish the ssh connection, you first have to probe on a sequence of other ports, before the ssh server will acknowledge a connect request. If the correct sequence of ports is not used, there is no response, so it effectively looks like there is no ssh server running. The sequence of ports is customizable and can be shared with your intended users; everyone else would effectively be unable to connect.

I haven't tried this myself, but from what I've heard (which isn't much, actually) the overhead is negligible and it lowers your visibility profile tremendously.


Patches related to enabling directly in SSH and lots of relevant discussion:

  • https://bugzilla.mindrot.org/show_bug.cgi?id=983

This can also be done without modification by having a password verification script combined with the use of the ForceCommand configuration option.

  • http://www.tuxz.net/blog/archives/2010/03/17/how_to_quickly_setup_two-factor_ssh_authentication/

Finally, though no module exists for it, if you moved the public key authentication to PAM then you would be able to require both steps to pass before PAM considered authentication successful.


Just use 

RequiredAuthentications publickey, password

in sshd_config if you are using sshd from ssh.com. This feature is not available in OpenSSH.


You could also use one-time passwords to increase security. This would allow users to login from an insecure terminal, which may have a keylogger, if they previously generated the next password. Also there are password generators that can be installed even on older Java MIDP phones, that you carry with you all the time.

Related

How can I search the info column in Wireshark?
What does Upstream and Downstream mean?
How to exclude some users from Linux Top screen?
In what condition, should I create a system user instead of a normal user?
Why are outdated packages installed by yum on CentOS? (specifically PHP 5.1) How to fix?
User in domain admin group cannot access directory the group has permission to access
Scaling Logstash (with redis/elasticsearch)
Does a MongoDB replica set require at least 2 or 3 members?
How to expose a UNIX domain socket directly over TCP
Cannot disable password expiry on Server 2012
Standard or best way to keep alive process started by init.d
Can't receive mails from Gmail