Secure ssh access with now password

Written by
Date: 2010-04-25 10:36:30 00:00

Dictionary attacks as described in Wikipedia are:

In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.

A dictionary attack uses a brute-force technique of successively trying all the words in an exhaustive list called a dictionary (from a pre-arranged list of values). In contrast with a normal brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words for example a dictionary (hence the phase dictionary attack) or a bible etc. Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily-predicted variations on words, such as appending a digit.

If an attacker wants to break your server, he first needs to guess the username, and then try to gess the password for that username, so the more common dictionary attacks are done to the root password, there are two reasons to do it that way.

  • Almost all systems has root accounts (Ubuntu does not have it enabled)
  • If someone gain access to your server with the root accout it will have full access to the server

So there are two simple ways to avoid the possibility of an attack to the root account

Disable root access via ssh to your server

Edit the file /etc/ssh/sshd_config Look for this line

#PermitRootLogin yes

And change it to:

PermitRootLogin no

Enable root access via ssh, but only with rsa key

Edit the file /etc/ssh/sshd_config Look for this line

#PermitRootLogin yes

And change it to:

PermitRootLogin without-password

After that, create your key in order to log in with no password in the remote server.

ssh-keygen -t rsa

Please Do not forget not to write any passphrase, just empty for no passphrase for this to work

Copy te file id_rsa.pub to the $HOME/.ssh directory of the machine you wish to connect to, where $HOME is the directory of the user you would like to connect as. /root/.ssh in the case you would like to connect as root. Consider you would like to connect as the user user

scp $HOME/.ssh/id_rsa.pub usuario@server.remoto:/home/user/.ssh/authorized_keys2

or

ssh-copy-id -i ~/.ssh/id_rsa.pub username@example.com

Now you can connect to the remote server with out being asked for a password.

ssh -l usuario server.remoto