You really shouldn’t allow SSH logins via password. This is doubly true for root. On most of my hosts we allow SSH for normal users with a password, but restrict root to SSH keys only. And we always protect against brute force attacks with fail2ban.
If you aren’t already using SSH keys and SSH agent, you should. SSH agent forwarding allows for secure sideways authentication. For example:
tyler@baal:~$ ssh -A root@server1 Last login: Fri Sep 4 15:47:02 2009 from network-192-168-1-2.example.com Linux server1 2.6.24-22-generic #1 SMP Mon Nov 24 18:32:42 UTC 2008 i686 firstname.lastname@example.org:~# scp /tmp/file root@server2:/tmp/ file 100% 0 0.0KB/s 00:00 email@example.com:~#
Notice how I was never prompted for a password or SSH passphrase? That’s because in step one, I had an SSH agent already holding my passphrase. And in step two, scp on server1 securely forwarded the key request back to my workstation and server2 accepted it. No passwords. Fast and easy.
This allows me to improve security in several ways.
- I don’t have to remember my root passwords. I am free to store them in an encrypted file or encrypted password store.
- Because I don’t have to remember them, I don’t have to make them memorable. I generate all passwords with
- Because I don’t have to remember them, they don’t have to be the same. If I have two servers or 50, they can all have unique passwords.
Note for Ubuntu users: if you use a GPG key agent such as KGPG, you’ve probably already got an SSH key agent running. You just need to configure it to load your keys at login time.
Now, suppose you have a key that an automated script is using. Or you have a user that you want to be able to access your servers from work, but not from home? This is where key access limits come in. In ~/.ssh/authorized_keys:
from="*.example.com" ssh-rsa AAAAB3Pca[...]Fy== firstname.lastname@example.org
You can also limit by IP or have a list of limits.
from="*.example.com,192.168.*" ssh-rsa AAAAB3Pca[...]Fy== email@example.com
Now this key will only be accepted from servers whose IP addresses resolve to something in “example.com”, or whose IP address begins with “192.168.”. Note that using a hostname here means the user can’t login if DNS doesn’t work, or if reverse DNS records are wrong for your IP. For all but senior administrators, this is probably an acceptable risk.
Update 2009-09-07 13:49 UTC: As I’ve just discovered, you may have to list IPv4 addresses in their IPv6 form. For example:
from="::ffff:192.168.*,192.168.*" ssh-rsa AAAAB3Pca[...]Fy== firstname.lastname@example.org