What is public-key authentication?
Public-key authentication replaces the need for a password when connecting to servers via ssh.
This is done by storing user’s public keys on remote servers, when a user try’s connecting to that server they are granted access only If their public key matches the one on the server.
Why do users use public keys to authenticate instead of passwords?
SSH is set to use password authentication by default – to mitigate the effect of a brute force attack user have opted to enforce public-key authentication instead.
Public-key-authentication uses shared public keys to authenticate users to servers. User Bob places his public key on server X, which allows him to ssh from his laptop into server X without the need for a password. No password = no brute force attack.
Authentication with password:
Authentication with public key:
What are the drawbacks to using public keys?
Public-key-authentication mitigates the effects of a brute force attack on ssh by replacing the requirement for a password, which is great.
Though, what happens when our user Bob’s laptop gets compromised? Bob is using public key authentication and isn’t required to enter a password when SSHing to other servers. This means any attacker that gains access to Bob’s laptop now has access to any server Bob has his public key on.
Ouch. Bob implemented public keys to mitigate brute force attacks via ssh but those same public keys have now caused him more harm than good.
What can we do about this?
There is an option when you set up public-key authentication to add an additional passphrase. This is not the password you use to login to your user account but instead a separate passphrase you set specifically for accessing the server. This means whenever you ssh into another system via public-key authentication you will also be prompted for a passphrase.
This is a form of two factor authentication that not only mitigates brute force attacks but also prevents you from unintentionally granting access to users that may have access to your laptop
How else can we lock down SSH?
To further protect ourselves we can set allowed or denied IP addresses/domains in host.allow and host.deny respectively. In this case we want to deny ssh access for anyone not in or domain. To do this we will need to append SSHD: ALL EXCEPT example.com to /etc/hosts.deny.
The below will deny anyone from outside example.com ssh access to our servers.