Understanding of SSH Internals is essential for its proper deployment. I have witnessed many SSH installations where it is deployed with a default configuration or used as merely an encrypted tunnel.
I would recommend deploying SSH Service with both Key and Pass-phrase based Authentication mechanisms.
- Clients must have the key-pair to authenticate to the Server and vice-versa
- Server must have Client's public key
- Client must have Server's public key
A document has recently been uploaded that covers this secure and robust Authentication Mechanism. It:
- Provides a way for both parties to be assured of each others' identity.
- Assures security to the Server by ensuring that connections are made by Authorized Identities or Clients only (key exchange and use of passphrase)
- Assures security to the Client by ensuring that the client connects to the intended Server only (Host Key Fingerprint and Hash Visualization [4])
- Protects the integrity of system passwords by providing for a password-less entry to the Server using both the key and pass-phrase
- Provides for a two-way identity verification mechanism
- Provides for a 2-Factor authentication for stronger security
- Transportable Key files: You could take them to any other machine in the world and use them to access the server. All you need is your key and the pass-phrase
- Easy to use for end users or clients
- Gives system administrators a peace of mind
I have uploaded a document to company repository (currently only this document is public):
No comments:
Post a Comment