FreeBSD is Fun

Practical recipes for FreeBSD

Basic SSH security

Posted

by

shogun

Category

This tutorial was first published in 2014 in Metin2Dev. I have corrected a few bits, but the procedures are exactly the same as 10 years ago.

Today I will show you how to make your server safer easily while at the same time avoiding having to type your login and password every time you want to work on it. This is called public key authentication

For starters, we will create a new user for our game server.

pw useradd metin2 -m -g wheel

This will create a user as well as his home directory under /home/metin2. Don’t worry, nothing is wrong (probably) the command is just silent like that and will comply without giving any feedback on the result. About that “wheel” thing, it means we are adding the new user to the wheel group, which happens to consist of those users who are allowed to switch to the root superuser with su. This is necessary if we want to disable logging in directly as root – a very sensible security measure.

Next it is time to create the files necessary for our key authentication to work. Note this tool must be run as the user in question, hence the first command.

su metin2
ssh-keygen

Just press enter on every question and the /home/metin2/.ssh directory will be created along with the files id_rsa (which contains the user’s private key) and id_rsa.pub (the user’s public key). These are of no interest to us now, it’s enough to understand that a public key is used to authenticate a user who posesses the private key yet gives no access to anything by itself. Think of the public key as a lock that can only be opened by the private key.

NB: the dot before .ssh means it’s a hidden directory. It does not show when doing ls unless you are root, so you must know it’s there (and have permissions to do so!) to access it.

Now we are going to create our own private key, which is not the same as the ones we just created: this one will serve to authenticate us, not the “metin2” account that we created in our server. Confused? I bet. Just download Puttygen (a tool from the author of Putty) and use it to generate a private key -which you will save in a safe place won’t you?- and thereafter a public key.

Copy this public key directly from Puttygen onto the clipboard and then go back to your server’s shell and create this file:

ee /home/metin2/.ssh/authorized_keys

Now let’s just paste that public key of ours that we have in our clipboard with CTRL+V, press enter and ESC and save the file. Once again, make sure it’s this user (metin2 or whatever you named him) owning every file under .ssh as the authentication will fail if permissions and ownership of these are not correct. This can be achieved either by editing the files as said user, or by running the chown command after the fact:

chown metin2:metin2 /home/metin2/.ssh/authorized_keys

Now it’s time to test our key. There are two sides to this: one is to add the username (Connection > Data) and the key (Connection > SSH > Auth) to Putty (do not forget to save the session afterwards!) and then check that ssh is configured to accept keys server side. Open /etc/ssh/sshd_config in your favorite text editor and verify Pubkeyauthentication is set to yes. If it’s set to yes but it’s commented, this means that this is the default setting so there is no need to remove the comment. If for some reason you had to change this, you will need to restart the ssh daemon with service sshd restart.

Finally, you can try opening your server session with putty and our new key. Works? Great. Otherwise make sure you followed those steps properly and that authorized_keys is owned by our dear user and is only writeable by him:

root@webserver:/home/www # ls -l .ssh
total 12
-rw-r--r-- 1 www www 398 Jan 18 17:36 authorized_keys
-rw------- 1 www www 1831 Jan 18 17:34 id_rsa
-rw-r--r-- 1 www www 403 Jan 18 17:34 id_rsa.pub

Once this is working, we can move on to the next step in security and proceed to disable root login and password authentication in /etc/ssh/sshd_config so our key will be the only way into our server. The settings we are looking for are:

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no

Again, once you saved this file you will have to restart the ssh server with service sshd restart. And while you are editing the ssh config, it’s also a good idea to change the ssh port to a different one, preferably an unused, high number port between 20000 and 30000 – but don’t forget to open this port in your firewall if you have one or you will lock yourself out.

Part 3. Security good practices

Once you do all of this, the only way to access your server is through the private ppk file. Therefore, make sure to keep it in a safe place such as USB stick or external drive!

You will access root privileges by logging in with the metin2 user and then using su. So in the event that someone gained shell access through some kind of backdoor or exploit which stole your key, he won’t have full access to the machine unless he knows the root password as well!

Not feeling confident? You can always hire me to perform this or any other of the administrative tasks described in this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *