Viewable by the world

Background

Using SSH (Secure Shell) with only a password is not recommended due to several security risks. SSH is a protocol used to securely connect to remote computers.  However, relying on password-only authentication can expose your system to various threats.

Why Password-Only Authentication is Risky

  1. Brute Force Attacks: This is a method where automated tools try numerous combinations of passwords until they find the correct one. If your SSH server allows password-only authentication, it becomes a potential target for such attacks.

  2. Weak Passwords: Users might choose simple or easily guessable passwords, making it easier for attackers to break in.  In the case of some appliances or software, default passwords for the vendor can sometimes be left in place.

  3. Password Reuse: Many people reuse passwords across different accounts. If one of these accounts is compromised, attackers might use the same password to access your SSH server.

Enhancing SSH Security

To enhance the security of your SSH access, consider the following methods:

Public Key Authentication

Public Key Authentication is a more secure alternative to password-based login. It uses a pair of cryptographic keys: a private key that you keep secure on your device, and a public key that is placed on the server.

  • How It Works: When you try to log in, the server uses the public key to create a challenge that only the corresponding private key can solve. If the solution is correct, access is granted.
  • Advantages:
    • No Passwords: Eliminates the risk associated with weak or reused passwords.
    • Resistance to Brute Force: An attacker would need the private key, which is much harder to obtain than guessing passwords.
    • Ease of Use: Once set up, logging in is often faster and more convenient.
  • How to generate and use SSH keys

Two-Factor Authentication (2FA)

2FA adds an extra layer of security by requiring two forms of verification before granting access. Typically, this involves something you know (a password) and something you have (a verification code from a mobile app or a hardware token).

  • Benefits: Even if an attacker guesses or steals your password, they still need the second factor to gain access.
  • Implementation: Many SSH servers can be configured to support 2FA. You can use tools like Google Authenticator, Authy, or dedicated hardware keys like YubiKey.
  • SSH with passwords and 2FA authentication

Combining Public Key Authentication with 2FA

To go even further, you can combine Public Key Authentication with Two-Factor Authentication. This approach leverages the strengths of both methods, making unauthorized access extremely difficult.

  • How It Works: When you log in, the server first authenticates you using your public key. Once this step is successful, it prompts for the second factor, such as a verification code from a mobile app or a hardware token.

  • Benefits:

    • Double Layer of Security: Even if an attacker somehow obtains your private key, they still need the 2FA token to access the system.
    • Enhanced Protection: This combination protects against both brute force attacks and key theft, significantly improving overall security.
  • SSH with Public Key and 2FA authentication





Notes on Fido2 with SSH