SSH Security Considerations

The following SSH configuration considerations will help secure the Management Consoles underlying OS SSH package. Thorough knowlegde of using Linux commands is assumed.

These considerations are based on the CentOS wiki which contain addtional configurations and can be found at https://wiki.centos.org/HowTos/Network/SecuringSSH.

The following configurations are separated individually but you can make all these changes at once if you decide that all these configurations conform to your IT departments security policy.

Disable Root Login

  1. Edit /etc/ssh/sshd_config

    # Prevent root logins:
      PermitRootLogin no
    
  2. Restart SSH

    $ sudo service sshd restart

Limit User Logins

  1. Edit /etc/ssh/sshd_config

      # Limit User Logins to the following
        AllowUsers admin
    
  2. Restart SSH

    $ sudo service sshd restart

Disable SSH Protocol 1

  1. Edit /etc/ssh/sshd_config

    # Protocol 2,1Protocol 2

  2. Restart SSH

    $ sudo service sshd restart

Use Public/Private Keys for authentication and disable Password Authentication

  1. Generate public and private certificate.

    $ ssh-keygen -t rsa

    1. Either specify a file name or accept the default.

    2. If you want to be asked for a password everytime you connect, supply a passphrase.

    3. A private (id_rsa by default) and a public key (id_rsa.pub by default) will be created in the ~/.ssh directory.

  2. In the Management Console, ssh as admin and copy the public key in the ~/.ssh folder. You may need to create the ~/.ssh folder.

  3. Install the public key into the authorized_keys list:

    $ cat id_rsa.pub >> ~/.ssh/authorized_keys

  4. Set permissions on the .ssh directory and authorized_keys file

    $ chmod 700 ~/.ssh
    $ chmod 600 ~/.ssh/authorized_keys
    
  5. Enable SSH public key authentication

    1. Edit /etc/ssh/sshd_config

      #Enable Public Key authentication
      PubkeyAuthentication yes
      
    2. Restart SSH

      $ sudo service sshd restart

  6. In the workstation where you will run the ssh client, copy the private key in the ~/.ssh folder. Set the permissions as follows:

    ```
    $ chmod 700 ~/.ssh
    $ chmod 600 ~/.ssh/id_rsa
    ```
    
  7. Test the SSH connection using public/private keys by using SSH to connect to your VM from a different VM where you have copied your generated SSH key

    $ ssh admin@your_mc_ip_or_fqdn -i ~/.ssh/id_rsa

  8. Disable password authentication.

    1. Edit /etc/ssh/sshd_config

      # Disable password authentication forcing use of keys:
      PasswordAuthentication no
      
    2. Restart SSH

      $ sudo service sshd restart