One of the security processes that we are thinking of changing is the way we allow users to access our servers. We have about 20 web servers where the only access is SSH and at the moment we use password authentication. With key-base authentication being more secure I have to consider how best to manage this process.
If we have 8 remote users all using different machines how do we control the key authentication as each of these machines will need the key to the server. Is the management done at the client level or the server level? What happens when the user changes his laptop or tries to remote in from a different machine/location?
Barring this we are looking at:
Changing the SSH port We already have root disabled Looking at google-authenticator using PAM Whitelist IP's for server access? Secure SSH server for server hopping?
Anything else missed?
Answer
Each user should generate their own key pair and provide you with a copy of the public key which you will put into the appropriate AuthorizedKeysFile (normally ~/.ssh/authorized_keys) or they can put it in their own ~/.ssh/authorized_keys file.
They should be required to set a pass phrase on the private key. When they change laptop they simply take a copy of the private key with them (it's a simple text file).
If your users have a smartphone then you can add 2 step authentication (a good thing anyway) using a service like Duo (which is quite easy to install and set up) or as you not google auth.
No comments:
Post a Comment