Disabling Password-based SSH

By Dan Aukes

first, remember to add a public key to your .ssh/authorized keys so you can still log in remotely.

echo "<public key info here>" >> /.ssh/authorized_keys

test your current keys:

sudo sshd -t

retrieve your current config

sudo sshd -T

from here:

save the original file:

sudo cp /etc/ssh/moduli /etc/ssh/moduli.old

enter root mode

sudo -i

paste in the following to remove small moduli

awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli
exit

Harden your config

Client Side

Regenerate your keys

sudo rm -f /etc/ssh/ssh_host_*key*

sudo ssh-keygen -o -t ed25519 -N '' -f /etc/ssh/ssh_host_ed25519_key
sudo ssh-keygen -o -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key

Host *
    Protocol 2
    HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
    KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
    StrictHostKeyChecking ask
    VerifyHostKeyDNS ask
    ForwardAgent no
    ForwardX11 no
    ForwardX11Trusted no
    PermitLocalCommand no
    HashKnownHosts yes
    TCPKeepAlive yes
    SendEnv LANG LC_*

Server-Side

create a new group and add

sudo groupadd --system ssh-users
sudo usermod -a -G ssh-users $USER

Regenerate your keys

sudo rm -f /etc/ssh/ssh_host_*key*

sudo ssh-keygen -o -t ed25519 -N '' -f /etc/ssh/ssh_host_ed25519_key
sudo ssh-keygen -o -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key

NUM=$(ls -1 /etc/ssh/sshd_config.d/99-local-sshd.conf* | wc -l)
sudo cp "/etc/ssh/sshd_config.d/99-local-sshd.conf" "/etc/ssh/sshd_config.d/99-local-sshd.conf.bak.$NUM"
cat << EOT | sudo tee /etc/ssh/sshd_config.d/99-local-sshd.conf
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
PubkeyAcceptedKeyTypes sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

PermitRootLogin prohibit-password
AllowGroups ssh-users

PubkeyAuthentication yes

ChallengeResponseAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no

HostbasedAuthentication no
IgnoreRhosts yes
EOT
sudo systemctl restart ssh

summary: ""

Harden your config (old)

Derived from this link and this link


cat <<EOT | sudo tee  /etc/ssh/sshd_config.d/99-local-sshd.conf

# AllowUsers username1 username2

# Port 23456

IgnoreRhosts yes
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no

# UsePAM no

MaxAuthTries 3
LoginGraceTime 20
PermitUserEnvironment no
DebianBanner no

# adjust the following to fit your needs and "threat profile"

X11Forwarding yes
AllowAgentForwarding yes
AllowTcpForwarding yes
PermitTunnel yes

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

# HostKey /etc/ssh/ssh_host_ecdsa_key

# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com

# hardening guide

KexAlgorithms curve25519-sha256,<curve25519-sha256@libssh.org>,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
Ciphers <chacha20-poly1305@openssh.com>,<aes256-gcm@openssh.com>,<aes128-gcm@openssh.com>,aes256-ctr,aes192-ctr,aes128-ctr
MACs <hmac-sha2-256-etm@openssh.com>,<hmac-sha2-512-etm@openssh.com>,<umac-128-etm@openssh.com>
HostKeyAlgorithms ssh-ed25519,<ssh-ed25519-cert-v01@openssh.com>,<sk-ssh-ed25519@openssh.com>,<sk-ssh-ed25519-cert-v01@openssh.com>,rsa-sha2-256,rsa-sha2-512,<rsa-sha2-256-cert-v01@openssh.com>,<rsa-sha2-512-cert-v01@openssh.com>

LogLevel VERBOSE

ClientAliveInterval 300
ClientAliveCountMax 0

EOT

sudo chmod 644 /etc/ssh/sshd_config.d/99-local-sshd.conf
sudo systemctl restart ssh

References

New in 2024