Best practices/secure approach for accessing ssh server from semi-untrusted machines

Securityssh

I often need access to my home ssh server while abroad on customers machines. At present my ssh server is set to use password authentication on a non standard port. It's convenient because I can just download putty/pscp, do what I need to do and be done. But I am concerned about the security risks.

I've considered only allowing pub/pri key authentication with a passphrase. But I don't really want to be copying my private key onto remote machines if that can be avoided.

Is there a better approach? Something that is more secure, but still reasonably convenient.

I had thought of setting up two ssh servers, one exposed to internet, the other only to the LAN. The public server would allow password authentication, but would otherwise be locked down to only allow ssh access to the internal server (through a forced command or something). The internal server would only allow ssh access via pub/pri key authentication that uses a passphrase. In theory it should work, but I wonder if there is a simpler way.

Best Answer

If you are willing to spend some money you could get a yubikey and then use the Yubico PAM module. With this you can setup two-factor authentication. To login, it would require both your Yubikey and a password.

Related Solutions

RSA Authentication: Cannot get passwordless login with SSH

You should check if you have (sshd_config) :

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

UsePAM yes  <-- That one is usually the last line of the sshd_config

Then that your public key is added to authorized_keys in your ~/.ssh/. The last one (UsePAM yes) is very important, since if disabled it will force you to authenticate with your unix account. PAM is here to say that private key authentication is sufficient to log in. Eventually, if that still don't resolves you may have to check the PAM configuration.

Word – Finding sshd log file

The way to see what is going on on the server is to start the sshd daemon with these options:

  /usr/sbin/sshd -dD

The two options are (from the Man page):

-D When this option is specified, sshd will not detach and does not become a daemon. This allows easy monitoring of sshd.

-d      Debug mode.  The server sends verbose debug output to standard error, and does not put itself in the
         background.  The server also will not fork and will only process one connection.  This option is only
         intended for debugging for the server.  Multiple -d options increase the debugging level.  Maximum is
         3.

This should be plenty. For the past, it depends on your distro. I get messages in /var/log/auth.log, but you can search for messages relating to ssh in the same directory by means of

    find /var/log -type f -exec grep -l ssh {} \;

which will output the names of all files containing the expression ssh. You will then have to check their content.

Related Question