Hardening SSH authentication to the max

Keys to the Realm

If you want to open access to SSH, and possibly even to users on the Internet, you need to harden authentication, preferably with a combination of key pairs, discoverable and non-discoverable credentials, multifactor authentication, authenticator apps, and other methods. SSH with public key authentication should be your default setting.

Public Key Authentication

To get started, you need to create an SSH key pair with the ssh-keygen command. Even now, the process is fraught with pitfalls: Given that massive attacks on RSA2048 are commonplace, you can expect RSA3072 to become the focus of cryptoanalysts soon. Anyone still using RSA with key lengths of 2048 bits or less needs to take action, urgently.

In this article, I create a key pair with the use of elliptic curves (elliptic curve digital signature algorithm, ECDSA). To find out more about elliptic curve cryptography, please take a look at the English-language paper by the Germany Federal Office for Information Security (BSI) [1]. The type of key pair, whether ECDSA or ED25519, and therefore the choice of curve, has practically no influence on security. Both methods are considered to be very secure; ED25519 delivers slightly better performance under certain conditions.

To begin, generate a key pair for test purposes (Figure 1), upload the public key to the target system, and log in with the new key pair:

$ ssh-keygen -t ecdsa -b 384 -f ~/.ssh/ecdsa_2024-03
$ ssh-copy-id -i ~/.ssh/ecdsa_2024-03.pub thomas@pihole
$ ssh -i ~/.ssh/ecdsa_2024-03 thomas@pihole

... comments powered by Disqus