Below shows two options in securing SSH using Port 22 on Linux machines to enhance security along with ZotDefend. The reason we want to do this is because Port 22 can be opened to the public, not only on the UCI Network. Thus, anyone can try to attempt access to the machine and try to brute force account passwords.

You use the tool “ssh-keygen” to create your public-private key pair. Depending on what you need to do, there are many options available. I assume you don't have a key created yet and you will be fine using either DSA or RSA with the standard number of bits in the encryption (1024 bits for DSA and 2048 bits for RSA).

[user@host ~]$ ssh-keygen -t ed25519 -C "Add a Description to easily tell which machine this belongs to"
Generating public/private key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519): [Enter to leave default]
Enter passphrase (empty for no passphrase): [Enter to leave empty]
Enter same passphrase: [Enter to leave empty]

You should leave the default values above by simply hitting Enter three times. The private key is created in id_ed25519 and the matching public key is id_ed25519.pub. The id_ed25519 file name is what ssh will look for when attempting public-key authentication (unless specified differently in the /etc/ssh/ssh_config in the IdentityFile variable.

The *.pub file needs to be appended to the ~/.ssh/authorized_keys file to be recognized by ssh. This should be done on any remote hosts you wish to connect to using public-key authorization. Be sure each key starts on its own new line, since many users may need to connect to the machine and all be able to add their public keys to the authorized_keys file. The code below should do it:

[user@localhost ~]$ scp ~/.ssh/id_ed25519.pub user@remotehost:/home/user/.ssh/my_id.pub
Enter password for user@remotehost:
[user@localhost ~]$ ssh user@remotehost
Enter Password
# That's the last time you'll be entering your password!
[user@remotehost ~]$ cd .ssh
[user@remotehost .ssh]$ cat my_id.pub >> authorized_keys
[user@remotehost .ssh]$ rm my_id.pub

On both local and remote hosts, the permissions need to be set as follows if not already set:

[user@host ~]$ chmod 700 .ssh
[user@host ~]$ cd .ssh
[user@host .ssh]$ chmod 600 *
[user@host .ssh]$ chmod go+r known_hosts

Disabling Password Authentication is generally as simple as setting the option PasswordAuthentication no in the /etc/ssh/sshd_config file and then restarting the sshd service.

However, we've discovered that some linux distributions add another configuration file /etc/ssh/sshd_config.d/50-cloud-init.conf which contains PasswordAuthentication yes to force password authentication to be enabled.

Therefore, the easiest way to universally disable password authentication is to create a new file that sorts lexicographically before any other files that might be created in there, such as 00-disable-password-auth.conf:

PasswordAuthentication no

After setting the PasswordAuthentication option to no you must reload the sshd daemon to get this setting to take effect:

• on Debian/Ubuntu:

  systemctl reload ssh

• on RHEL/Rocky:

  systemctl reload sshd

1. Install libpam-google-authenticator:

   apt install libpam-google-authenticator

2. Configure SSH, edit /etc/ssh/sshd_config:

   #uncomment
   PasswordAuthentication yes
   #uncomment and set to yes
   KbdInteractiveAuthentication yes

3. Restart SSHD Service:

   systemctl restart ssh

4. Add this line to /etc/pam.d/sshd after the line @include common-auth:

   auth required pam_google_authenticator.so nullok echo_verification_code

   • NOTE: nullok means google authenticator is not required. You MUST have this until all users have configured google-authenticator. Then remove this to enforce 2FA.
   • WARNING If you make changes to any pam config files, make sure you have a second terminal open as root so that you can always get in to revert the change. PAM can very easily break all authentication so that you can't get in to the system any more. Double check any changes right away. Don't let the 15 minute auto logout lock you out…
5. To enforce 2FA for other services, modify the appropriate pam config file for that service

Users must set up their own google authenticator:

1. Log in via SSH using password
2. Run the command:

   google-authenticator

3. Follow prompts to get a QR code (NOTE: Have the user maximize their SSH app window so the QR code is drawn properly and doesn't wrap around the screen)
4. Scan the QR code using your Google Authenticator app on your phone
5. Enter 6 digit code or -1 to skip
6. Complete the setup by answering questions:
   1. Update your “/home/your_account_home_here/.google_authenticator” file: y
   2. Time-based: y
   3. Disallow multiple uses of the same code (prevent man-in-the-middle attacks): y
   4. Permit time skew up to 4 minutes: n
   5. Enable rate-limiting: y
7. Copy your backup codes somewhere safe. You can also view your backup codes by looking in the ~/.google-authenticator file.

• Disable google auth 2FA for a specific user account by moving/renaming the ~/.google-authenticator file
  (NOTE: This will only work with nullok added to the previous config above!)