ubuntu:ssh:configure_sshd_with_multiple_authentication_factors
Ubuntu - SSH - Configure sshd with multiple authentication factors
With this setup, a user attempting to log into this OpenSSH server will need to provide a valid username, a valid PKI private key that matches the user’s authorized public key, and finally, the user’s password. Without any one of these authentication factors, the user will not be allowed access to the server. That’s pretty good security if you ask me.
- /etc/ssh/sshd_config
# TCP port to bind to. # Change to a high/odd port if this server is exposed to the internet directly. Port 22 # Bind to all interfaces (change to specific interface if needed). ListenAddress 0.0.0.0 # Force SSHv2 Protocol. Protocol 2 # HostKeys for protocol version 2. HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Privilege Separation is turned on for security. UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key. KeyRegenerationInterval 3600 ServerKeyBits 2048 # Limit SSH access to only certain users. AllowGroups sshusers # Client timeout (5 minutes). ClientAliveInterval 300 ClientAliveCountMax 0 # Compression (only after authentication). Compression delayed # Logging. SyslogFacility AUTH LogLevel VERBOSE # Authentication must happen within 30 seconds. LoginGraceTime 30 # Disable root SSH access. PermitRootLogin no PermitEmptyPasswords no # Check user folder permissions before allowing access. StrictModes yes # Public key authentication + Password authentication. # Two-Factor Authentication in OpenSSH v6.2+. RSAAuthentication yes PubkeyAuthentication yes PasswordAuthentication yes AuthenticationMethods publickey,password # Change this depending on where your authorized_keys file is. # This is set as a workaround when using encrypted home directories. # Link: https://joscor.com/2013/05/putty-server-refused-our-key/ AuthorizedKeysFile /etc/ssh/keys/%u/authorized_keys # Message Authentication Code (Hash, only SHA2-512). # SHA-256 included for compat with PuTTY-WinCrypt clients. MACs hmac-sha2-512,hmac-sha2-256 # Ciphers (only secure AES-256). Ciphers aes256-cbc,aes256-ctr # Key Exchange algorithms (Elliptic Curve Diffie-Hellman). # DH-SHA-256 included for compat with PuTTY-WinCrypt clients. KexAlgorithms ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 # Don’t read the user’s ~/.rhosts and ~/.shosts files. IgnoreRhosts yes # Disable unused authentication schemes. RhostsRSAAuthentication no HostbasedAuthentication no ChallengeResponseAuthentication no KerberosAuthentication no GSSAPIAuthentication no UsePAM yes # X11 support. X11Forwarding no # Don’t show Message of the Day. PrintMotd no # TCPKeepAlive (non-tunneled, disabled). TCPKeepAlive no # Allow client to pass locale environment variables. AcceptEnv LANG LC_*
ubuntu/ssh/configure_sshd_with_multiple_authentication_factors.txt · Last modified: 2020/07/15 09:30 by 127.0.0.1