Allow or deny SSH? You may want to provide secure and limited SSH access to your public hosts, using SSH keys. Here's a simple way to do it.
Care for better security with SSH? If you do, perhaps you don't want to allow root
SSH access to your public hosts, facing the world. Instead, you'd prefer the use of SSH keys for select users, except root
. Here's a quick guide on how to set this up.
Let's start with installing openssh-server
on your remote Linux host:
sudo apt-get install -y openssh-server
Once installed, you can verify the status of the SSH service with:
sudo service ssh status
A running status of the SSH service is suggested by the line starting with Active: active (running)
in the related output.
By default, the local user accounts on your remote Linux host (including root
) are allowed SSH access, using their system credentials. Let's assume you want to enable exclusive SSH access to user joe
. This could be an existing account, or you can create it with:
sudo useradd -m -d /home/joe -s /bin/bash joe
Set the password for user joe
:
sudo passwd joe
We can add joe
to the sudoers
and also to a custom ssh
group (e.g. for users with SSH access):
sudo usermod -aG sudo,ssh joe
Let's give user joe
exclusive SSH access. Make the following changes in the /etc/ssh/sshd-config
file:
AllowUsers joe
Alternatively, we could enable exclusive SSH access to the ssh
group (in /etc/ssh/sshd_config
):
#AllowUsers joe
AllowGroups ssh
Restart the SSH service to make changes effective:
sudo service ssh restart
Now for any other user, except joe
(or users in the ssh
group, if you chose the AllowGroups ssh
alternative), the SSH login attempt would result in a permission error:
Permission denied, please try again.
Let's try to further secure SSH access and replace the SSH password authentication with public key authentication. For this, you'll need to generate a public/private key pair on the client machine used for SSH access. You may already have this key pair generated (check for the ~/.ssh/id_rsa
and the ~/.ssh/id_rsa.pub
files). Here's the command to generate the key pair:
ssh-keygen -t rsa -C "NAME"
Replace NAME
with the name of your local client machine, or anything you'd prefer to name your public key with. You can verify the newly generated public key with:
cat ~/.ssh/id_rsa.pub
Next, copy the public key to your remote Linux host, targeted for SSH access. Keep in mind that at this time you still need to have password authentication enabled on your remote Linux host.
ssh-copy-id -i .ssh/id_rsa.pub joe@your_remote_host
At this point you'll be able to SSH into your remote Linux host without password authentication:
ssh joe@your_remote_host
Finally, disable the SSH password authentication and enable the SSH public key authentication, on your remote Linux host. Make the following changes in /etc/ssh/sshd_config
:
PasswordAuthentication no
PubkeyAuthentication yes
Restart the SSH service.
sudo service ssh restart
You have now SSH access limited to select users (joe
, or users in ssh
group), using SSH keys for authentication.