If you don't have any good reason not to, always set your SSH server to only authenticate with keys.
Anything else is irrelevant.
this post was submitted on 10 Apr 2024
44 points (100.0% liked)
Selfhosted
46677 readers
757 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
If you don't have any good reason not to
Spoiler alert: you don't.
This is the internet. If you poke the bear, somebody will come-up with a completely reasonable use case of password authentication that happened once somewhere on the world.
Easy. I have servers that are only available on my local network and lots of different devices that I MIGHT want to use to access those servers. I haven't bothered to make sure my key is on EVERY SINGLE DEVICE and some of them, I might not actually even WANT my key on as they're not terribly well secured and they might leave my house (my Windows gaming laptop I haven't used in six months comes to mind).
But for cloud accessible servers... yeah.
You know you're allowed (some might even say supposed) to have different keys for different machines. They're basically free to generate and take up to no space.
I use a different key for every device I need to connect to.
So my phone has separate keys for each SSH server and so does my desktop and laptop.
It's not the most convenient thing in the world but it's not too bad.
Most of the keys are without passphrase but the keys I use to connect to my VPS for example absolutely have a passphrase.
Playing with a Raspberry Pi inside my own home network with nothing important going on and I turned the Pi off when I'm done. Like why worry about it at that point?
Yes, but I usually add my public key to the authorized_keys file and turn off password authentication once i do login with a password. On top of that, I have a sshpass one line command that takes care of this for me. It's much easier than trying to manually type a password for the next time. I save it and just run it every time I think about using password login. Next time I need to ssh, I know the password login is not necessary.
sshpass -p 'PASSWORD' ssh [email protected] "echo '`cat ~/.ssh/id_rsa.pub`' > ~/.ssh/authorized_keys && echo 'Match User !root
PasswordAuthentication no
Match all' > /etc/ssh/sshd_config' && exit" && ssh [email protected]
At the next reboot, your system will now only accept key logins, except for root. I hope the root user password is secure. I don't require it for root because if a hacker does gain shell access, a password(or priv esc exploit) is all they need to gain root shell. It is also a safety net in case you need to login and lost your private key.
Yeah, that's not a good reason.
It's much easier to authorize a key than to input your password on every kind of interaction.
If there is, I'd love to hear it. But even JuiceSSH on Android has supported keys for like the last decade.
30 character password + fail2ban after one failed attempt. Why not?
WCGW?
Tell me
Accidentally typo your password and get blocked. And if you're tunneling over tor, you've blocked 127.0.0.1 which means now nobody can login.
How would is a typo possible if one is using a password manager?
Not OP but I've accidentally fingered another key a split second before hitting enter a few times. It's not implausible.
True, but I thought we are talking about security here...?
30 character
You've gotta pump those numbers, those are rookie numbers. (I have a vps that has several times that figure)
Did you read my message? After one failed attempt you will get banned.
But
30 characters
:P
Disabling root login and password auth, using a non-standard port and updating regularly works for me for this exact use case.
There are several things you can and should do to harden your server, many of them can be found here.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| DNS | Domain Name Service/System |
| IP | Internet Protocol |
| SSH | Secure Shell for remote terminal access |
| TCP | Transmission Control Protocol, most often over IP |
| VPN | Virtual Private Network |
| VPS | Virtual Private Server (opposed to shared hosting) |
6 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.
[Thread #671 for this sub, first seen 10th Apr 2024, 23:55] [FAQ] [Full list] [Contact] [Source code]