[Linux] SSH access control

Summarized Answer:

Generate an SSH key pair using ssh-keygen on the client and copy the public key to the server.
Configure proper file permissions and modify /etc/ssh/sshd_config to enforce key-based authentication.
Restart the SSH service to apply changes and test the connection.

Detailed Answer: Below is a detailed step-by-step example to activate SSH control using key-based authentication:

Generate SSH Key Pair on the Client: Open your terminal and run:
```
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
```
- You will be prompted for a file location (default is ~/.ssh/id_rsa).
- You may also choose to set a passphrase for added security.
Copy the Public Key to the Server: Use the ssh-copy-id command to transfer your public key to the server’s authorized keys:
```
ssh-copy-id username@server_ip
```
Replace username with your actual server user and server_ip with the server’s IP address.
- Alternatively, if ssh-copy-id is unavailable, manually copy the key:
  cat ~/.ssh/id_rsa.pub | ssh username@server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Set Correct File Permissions on the Server: After copying the key, ensure that the SSH directory and files have secure permissions by logging into the server and executing:
```
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
```
These commands restrict access to your SSH configuration and authorized keys.
Configure the SSH Daemon (sshd_config): Edit the SSH configuration file to enforce key-based authentication and disable password logins:
```
sudo vim /etc/ssh/sshd_config
```
If you are not comfortable with vim, ensure your default editor is one you prefer (e.g., use sudo EDITOR=nano visudo for sudoers, though for sshd_config you can simply open the file with nano if desired: sudo nano /etc/ssh/sshd_config). In the file, locate and set the following parameters:
```
PubkeyAuthentication yes
PasswordAuthentication no
PermitRootLogin no
```
Optionally, restrict access to specific users:
```
AllowUsers username1 username2
```
This ensures that only specified users can access the server via SSH.
Restart the SSH Service: To apply the configuration changes, restart the SSH service:
```
sudo systemctl restart ssh
```
This step is critical to ensure that the new settings take effect.
Testing the Configuration: From your client machine, attempt to SSH into the server:
```
ssh username@server_ip
```
You should be able to log in without being prompted for a password, and the connection will rely solely on the key-based authentication.

By following these steps, you ensure that SSH access is controlled via secure keys, reducing the risk of unauthorized access through password brute-force attacks.

Manage ssh globally only sudo

Yes, you can configure SSH to use a global authorized keys directory by modifying the AuthorizedKeysFile directive in /etc/ssh/sshd_config. For example, setting it to something like /etc/ssh/authorized_keys/%u lets you centrally manage keys, with files owned and modifiable only by root. This ensures users cannot alter their SSH keys without sudo privileges.

Detailed Answer: By default, each user’s SSH authorized keys file is located in their home directory (e.g., ~/.ssh/authorized_keys), which means the user can change it. If you wish to manage SSH keys centrally—so that keys for all users are stored in a global location and only administrators (using sudo) can modify them—you can change the SSH daemon configuration.

Here’s how you can set it up:

Modify the SSH Daemon Configuration: Edit the /etc/ssh/sshd_config file (you’ll need sudo for this) and change the AuthorizedKeysFile directive. For example, you might set it as follows:
```
bashCopyAuthorizedKeysFile /etc/ssh/authorized_keys/%u
```
In this configuration, %u is a placeholder that SSH replaces with the username of the connecting user. This tells SSH to look for a file named after each user in the directory /etc/ssh/authorized_keys.
Set Up the Global Authorized Keys Directory: Create the directory and set strict permissions so that only root can modify it:
```
bashCopysudo mkdir -p /etc/ssh/authorized_keys
sudo chmod 700 /etc/ssh/authorized_keys
```
For each user, you can then create a file under this directory—for example, /etc/ssh/authorized_keys/bob—and populate it with the public keys that should be allowed for that user. Ensure these files are owned by root and have permissions such as 600:
```
bashCopysudo touch /etc/ssh/authorized_keys/username
sudo chown root:root /etc/ssh/authorized_keys/username
sudo chmod 600 /etc/ssh/authorized_keys/username
```
Repeat this for every user whose keys you want to manage globally.
Restart the SSH Service: After making changes, restart SSH to apply the new configuration:
```
bashCopysudo systemctl restart sshd
```
With this setup, when a user attempts to log in via SSH, the daemon will check the global file /etc/ssh/authorized_keys/<username>. Since these files are controlled by root, users cannot modify their own authorized keys without sudo access.

This centralized approach is useful in environments where you want to enforce strict control over who can log in and prevent users from self-managing their keys. It’s also handy if you’re managing multiple systems, as you can use configuration management tools (like Ansible, Puppet, etc.) to update these global files consistently.

Previous[Linux] server terminal resolution NextSSH

Last updated 1 month ago

Was this helpful?