Securing SSH access to your VPS
When we provision your server we enable root login using a password. Because we generate a very strong password this provides ample security, however it is not very convenient to remember or type in. Since you will probably want to change the password to one that is less random, we recommend setting up identity based access instead.
Identity based access
SSH can allow you to login using an identity, which is a public and private key pair. The server is configured to accept certain public keys, on a per user basis. The private key is held on the client, and should be protected by a strong passphrase.
When the client connects it will prompt you for the passphrase to unlock the private key, and then uses this key to login to the server.
Creating and using identities on UNIX
To generate an identity, run ssh-keygen from the command line.
desktop $ ssh-keygen -t rsa
It will create two files, ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub. To authorize this identity on the server you need to place the public key in ~/.ssh/authorized_keys for the target user(s).
root@vps $ mkdir -p ~/.ssh root@vps $ chmod 0700 ~/.ssh root@vps $ touch ~/.ssh/authorized_keys root@vps $ chmod 0600 ~/.ssh/authorized_keys root@vps $ vi ~/.ssh/authorized_keys
After using vi (or your preferred editor) to add the line from the id_rsa.pub you should now be able to login using your identity. If all has gone well it should ask you for your identity's passphrase, and not the user's password on the server.
Tightening security on the VPS
Once you have identity based access working it is best to turn off password authentication, making your VPS immune to brute force dictionary attacks.
To do this you must make some changes in /etc/ssh/sshd_config and restart SSH. Once SSH has restarted it is advisable to test you can still connect before you log out of your established connection, as this way you can recover from any problems that might arise.
Start by backing up the original config file, and then edit it.
root@vps $ cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original root@vps $ vi /etc/ssh/sshd_config
To disable password authentication you will need to set ChallengeResponseAuthentication and PasswordAuthentication to no. These lines are probably already present in the config file, but they might be commented out. After you have finished they should look like:
PasswordAuthentication no ChallengeResponseAuthentication no
Finally, restart sshd and then check you can still connect using another connection.
root@vps $ /etc/init.d/ssh restart # in some distributions this might be root@vps $ /etc/init.d/sshd restart
Direct root login considerations
It is often recommended that direct root access should be blocked. This means it is necessary to log in as a regular user and the su or sudo to escalate priveledges. This is quite sensible when allowing password authentication, as it forces any attackers to guess usernames as well as passwords.
Unfortunately this practice also has a drawback. Anyone gaining access to your account by any means will have an easy time installing a logger so the next time you su or sudo they have everything needed to escalate to root themselves.
Since the root account is often much harder to crack than any other account on the system, this is an attack vector worth avoiding. Once you have switched to identity based access, and removed password access,we recommend that you SSH straight into root rather than going via another user account.