2

I want to connect from my laptop to home server (both run some Linux; notice I explicitly want my user to be able to become root, in order e.g. to install new software): the server has the following sshd_config:

AllowUsers <zzz-my-user>
PermitRootLogin no
HostKey /etc/ssh/ssh_host_rsa_key
ChallengeResponseAuthentication no
PasswordAuthentication no
# PubkeyAcceptedKeyTypes ssh-rsa*
LoginGraceTime 8
X11Forwarding no
PrintMotd no
MaxStartups 2:30:10
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server

on the client I acted with

mkdir ~/.ssh
chmod 700 ~/.ssh
ssh-keygen -o -t rsa -b 4096

and then added the public key in the server at .ssh/authorized_keys, where I also acted with

sudo ssh-keygen -o -N '' -b 4096 -t rsa -f /etc/ssh/ssh_host_rsa_key

Do you think this minimal procedure and configuration might guarantee a reasonable security level? Would you suggest any improvements?

jj_p
  • 369
  • 1
  • 9
  • 1
    Logging in as root is foregoing one level of defense in depth. – Deer Hunter Mar 06 '16 at 18:38
  • @DeerHunter Thanks, I understand, but for some reason I want to be able to install new software – jj_p Mar 06 '16 at 19:55
  • The funny thing is, you don't need root login for automated installation. Ansible can happily get elevated privileges via su or sudo. – Deer Hunter Mar 06 '16 at 20:08
  • @DeerHunter it's more like installing from time to time new programs, or changing settings (like other users' passwords, etc.): do you think it is not a nice way to do it via ssh? – jj_p Mar 06 '16 at 20:12
  • It's definitely not a recommended practice. `sudo` all the things, or simply `su -`. Entering a password once a month is not a big burden IMO. Your mileage may vary. – Deer Hunter Mar 06 '16 at 20:15
  • Ditto. Definitely not recommended to allow remote root authentication. – Neil Smithline Mar 06 '16 at 20:20
  • @DeerHunter Do you think we are good now with the edits? :) – jj_p Mar 06 '16 at 20:32
  • @NeilSmithline thanks, for some reason I didn't understand that I can login and then become sudo without remote root authentication enabled, now I edited the config, and it should be better – jj_p Mar 06 '16 at 20:34
  • @DeerHunter perhaps you want to write up an answer as you already did all of the hard work. – Neil Smithline Mar 06 '16 at 20:36
  • @NeilSmithline - I have a vague feeling this question is a dupe. – Deer Hunter Mar 06 '16 at 21:06

1 Answers1

3

  • If you are running fairly recent version of openssh, I would recommend rather

    PermitRootLogin without-password

    It should not matter if you do not allow password authentication (but for further when you will decide to allow it for some reason).

  • Not sure what you mean by "to be able to root", but if you want to allow root login, you also need to list that user in AllowUsers option, if <zzz-my-user> is not root.

  • UsePrivilegeSeparation sandbox is current default. It works fine and adds another layer of security.

Further options depends on your use cases that you need to use and what you want to protect against. But generally forbidding Tunnel, Port forwarding or X11 forwarding might be way if you don't want to use it.

Jakuje
  • 5,229
  • 16
  • 31
  • Thanks for your reply. By 'to be able to root' I mean my user being able to become root. I added your suggestions: does it look better now? – jj_p Mar 06 '16 at 19:54
  • If you mean *"my user being able to become root"*, then you should deny root login altogether. – Jakuje Mar 06 '16 at 19:55
  • oh, I see, and then I would still be able to become root from my user? I didn't know that, thanks – jj_p Mar 06 '16 at 19:56
  • 1
    Yes. `sudo` or `su` will work even with `PermitRootLogin no`. – Jakuje Mar 06 '16 at 19:57
  • do you think now we are fairly decent? – jj_p Mar 06 '16 at 19:58
  • You still didn't specify what for do you want to use the server, but quite. – Jakuje Mar 06 '16 at 20:00
  • it's just our home pc, it is behind a router with dynamic IP and port 22 forwarded to it; mainly I need to connect remotely from my laptop from time to time to install programs or check issues – jj_p Mar 06 '16 at 20:02
  • For that use you are ok. You might also drop SFTP if you don't plan to use it (but it might be pretty convenient from time to time). – Jakuje Mar 06 '16 at 20:04
  • indeed it's been useful in the past :) thanks a lot for your advice – jj_p Mar 06 '16 at 20:06
  • I made some improvements following the above linked page. Btw, I notice my version is a bit outdated (e.g. it does not support -o option in ssh-keygen), OpenSSH_5.9p1 Debian-5ubuntu1.8, OpenSSL 1.0.1 14 Mar 2012: is this a problem? – jj_p Mar 08 '16 at 09:11
  • notice that due to old version, I also had to comment out the pubkey.. option – jj_p Mar 08 '16 at 09:35