The main risk is forgetting that you're running an ssh server and putting a weak password on an account. There are attackers out there that systematically try common account names (like webmaster
and bob
) and weak passwords. You can eliminate this risk by forbidding password logins (put PasswordAuthentication no
in sshd_config
, and either also put UsePAM No
or disable password authentication in the PAM settings for ssh). An intermediate measure is to restrict ssh logins to a whitelist of users with AllowUsers
or AllowGroups
in sshd_config
.
Note that allowing password logins is not in itself a security problem. Weak passwords and snooped passwords are the problems, and allowing password authentication in the ssh server is an enabler. To protect against password snooping, never type your password on a machine you don't fully trust (but then if you do trust a machine you might as well install a private key on it, and then you don't need password authentication).
The minimum requirement to use an ssh client on a machine is that you trust that there won't be an active hijacking of the ssh communication (a man-in-the-middle attack is possible if it's running on the client machine — you think you're typing commands into a pristine ssh client but the client is in fact transmitting your authentication data faithfully but also inserting a trojan horse into the communication afterwards). This is a weaker requirement than trusting there won't be a password snooper (usually performed through a keylogger, but there are other less automated methods such as shoulder surfing). If you do have the minimum trust but still fear snoopers, you can use one-time passwords (OpenSSH supports them through its PAM support).
Of course, as any other program that interacts with machines outside your control (not just network servers but also clients), you must keep up with security updates.
1You might want to consider installing OpenVPN too and create a VPN tunnel into your PC for your ssh connection. This way you don't need to open your ssh port to the world. – Linker3000 – 2011-02-10T21:55:23.437
@ Linker3000 Thanks! I'll give it a thought --- even though I had quite an unpleasant experience with VPN a while ago. – ev-br – 2011-02-11T00:36:47.413
@Zhenya If you don't space your "@" and the users name, they will receive a notification of you replying them. ;) So you'll receive a comment when I use @Zhenya, but not when I use @ Zhenya – BloodPhilia – 2011-02-11T00:38:59.517
@Zhenya And now you're doing it again XD – BloodPhilia – 2011-02-11T15:31:19.593
@Linker, can you elaborate a bit on why OpenVPN is more secure than SSH? – Arjan – 2011-02-11T15:52:32.040
@Arjan: Fair point. Superficially, there's probably not much difference with regards to encryption/security as they are both based on OpenSSL, but a VPN tunnel will protect the transit of other less secure traffic without any extra effort (although you could argue that you can tunnel things over an ssh connection too and it depends on what connectivity you need). One thing I have found is that many 'open' public/customer network services, such as hotels and internet cafes etc. tend to allow VPN connectivity but ssh is often blocked - expecially if you have moved it to a non-standard port. – Linker3000 – 2011-02-11T16:06:24.920
@Arjan See 7. of my answer. – BloodPhilia – 2011-02-12T23:11:47.107
@BloodPhilia, that surely explains how to use SSH once one has such VPN tunnel, and limit SSH to that tunnel. (Well, why not use telnet then?) But my point was: why should VPN access itself be more secure than properly configured SSH access? – Arjan – 2011-02-13T09:44:45.943
@Arjan, it's not MORE secure, it's just another measure you could take, I was just summing up some of those measures. VPN is more secure than
telnet
since it is encrypted and will make the client part of the server's "local network". – BloodPhilia – 2011-02-13T12:12:55.633(@BloodPhilia, as an aside: I meant telnet when using VPN, instead of SSH when using VPN. But I'm sure we're thinking the same things here.) – Arjan – 2011-02-13T12:15:20.060
@Arjan Oh right! ;) Well, SSH is encrypted,
telnet
is plaintext... – BloodPhilia – 2011-02-13T12:16:36.097I know, but when using VPN, all is encrypted to start with, @BloodPhilia :-) – Arjan – 2011-02-13T12:17:43.193
@Arjan All hail double encryption :D – BloodPhilia – 2011-02-13T12:21:24.827