Care for a better security with SSH?
If you do, perhaps you don't want to allow
root SSH access to your public hosts, facing the world. Instead you'd prefer the use of SSH keys for select users, except
root. Here's a quick guide on how to set this up.
These instructions apply for Ubuntu 18.04 and can easily be adapted for the vast majority of Linux platforms.
Let's start with installing
openssh-server on your remote Linux host:
sudo apt-get install -y openssh-server
Once installed, you can verify the status of the SSH service with:
sudo service ssh status
A running status of the SSH service should yield an output similar to:
● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enab Active: active (running) since Thu 2019-01-31 23:02:43 EST; 15s ago Main PID: 2563 (sshd) Tasks: 1 (limit: 2321) CGroup: /system.slice/ssh.service └─2563 /usr/sbin/sshd -D Jan 31 23:02:43 ginger systemd: Starting OpenBSD Secure Shell server... Jan 31 23:02:43 ginger sshd: Server listening on 0.0.0.0 port 22. Jan 31 23:02:43 ginger sshd: Server listening on :: port 22. Jan 31 23:02:43 ginger systemd: Started OpenBSD Secure Shell server.
By default, the local user accounts on your remote Linux host (including
root) are allowed SSH access, using their system credentials. Let's assume you want to enable exclusive SSH access to user
joe. This could be an existing account, or you can create it with:
sudo useradd -m -d /home/joe -s /bin/bash joe
Set the password for user
sudo passwd joe
We can add
joe to the
sudoers and also to a custom
ssh group (e.g. for users with SSH access):
sudo usermod -aG sudo,ssh joe
joe exclusive SSH access. Make the following change in the
Alternatively we could enable exclusive SSH access to the
#AllowUsers joe AllowGroups ssh
Restart the SSH service to make changes effective:
sudo service ssh restart
Now for any other user, except
joe (or users in the
ssh group, if you chose the
AllowGroups ssh alternative), the SSH login attempt would result in a permission error:
Permission denied, please try again.
Let's try to further secure SSH access and replace the SSH password authentication with public key authentication. For this you'll need to generate a public/private key pair on the client machine used for SSH access. You may already have this key pair generated (check for the
~/.ssh/id_rsa and the
~/.ssh/id_rsa.pub files). Here's the command to generate the key pair:
ssh-keygen -t rsa -C "NAME"
NAME with the name of your local client machine, or anything you'd prefer to name your public key with. You can verify the newly generated public key with:
Next, copy the public key to your remote Linux host, targeted for SSH access. Keep in mind that at this time you still need to have password authentication enabled on your remote Linux host.
ssh-copy-id -i .ssh/id_rsa.pub joe@your_remote_host
At this point you'll be able to SSH into your remote Linux host without password authentication:
Finally, disable the SSH password authentication and enable the SSH public key authentication, on your remote Linux host. Make the following changes in
PasswordAuthentication no PubkeyAuthentication yes
Restart the SSH service.
sudo service ssh restart
You have now SSH access limited to select users (
joe, or users in
ssh group), using SSH keys for authentication.