Securing SSH
Secure Shell or SSH is a cryptographic network protocol that operates at the application layer of the OSI model. Its typical usage is for remote access to Unix systems. SSH was developed as a replacement for unsecured remote shell protocols such as telnet, rsh, rlogin, and rexec. These protocols would send data in cleartext, including passwords to systems being accessed.
SSH can be used for numerous tasks from copying files to forwarding X sessions or browsing the web through an encrypted proxy connection.
Overview
This article will focus on implementing private keys, Google Authenticator, and Yubikey Neo to secure connectivity.
Private Keys
Price: Free
Google Authenticator
Price: Free (assuming you have a smartphone)
Yubikey Neo
Price: 50 dollars
Note, the Yubikey is not a one-trick pony. You can use it as a two-factor device to secure your Google, Dropbox, Github and many other online accounts. The Yubikey Neo also features Near Field Communication, allowing you to use it for apps on your NFC enabled Smartphone.
Most of the steps below are also covered on the developer section of the Yubico website here.
-
My testbed for this was a Gen 3B Raspberry Pi. Start by installing git and cloning the source PAM. You can also follow the guide from Yubico to install the prebuilt packages if you are running Ubuntu, Fedora, or FreeBSD.
1 2
$ sudo apt-get install git $ git clone https://github.com/Yubico/yubico-pam.git
-
Install the laundry list of prerequisites in order to build the yubikey PAM from source.
1
$ sudo apt-get install autoconf automake asciidoc libtool libpam-dev libcurl4-openssl-dev help2man
-
Compile libykclient from source. The version from the apt repo is old and unusable for this project.
1 2 3 4 5 6
$ git clone https://github.com/Yubico/yubico-c-client.git $ cd yubico-c-client/ $ autoreconf --install $ ./configure $ make $ sudo make install
A couple gotchas I ran into while attempting this… libykclient installed from the default repos is version 2.13-1 as of the time of this writing. Version 2.15 or greater is required. I was baffled by the configure error below:
1
configure: error: Libykclient v2.15+ required, see https://developers.yubico.com/yubico-c-client/
Hopefully this will save someone else a headache.
Comments powered by Disqus.