Advanced Authentication Hardening

2 min read Data Protection & Compliance

Advanced Authentication Hardening

Strong authentication forms the cornerstone of SSH security. Implement multiple authentication factors and advanced key management practices to ensure only authorized users gain access.

Configure certificate-based authentication:

#!/bin/bash
# setup-ssh-certificates.sh
# Implement SSH certificate authority

# Create CA directory structure
CA_DIR="/etc/ssh/ca"
mkdir -p "$CA_DIR"/{private,public,certs,revoked}
chmod 700 "$CA_DIR/private"

# Generate CA key pair
ssh-keygen -t ed25519 -f "$CA_DIR/private/ca_key" -N "" -C "SSH Certificate Authority"
cp "$CA_DIR/private/ca_key.pub" "$CA_DIR/public/"

# Create certificate signing script
cat > "$CA_DIR/sign-user-key.sh" << 'EOF'
#!/bin/bash
# Sign user SSH keys with CA

if [ $# -lt 3 ]; then
    echo "Usage: $0 <username> <public-key-file> <validity-period>"
    echo "Example: $0 john john_key.pub 52w"
    exit 1
fi

USERNAME=$1
PUBKEY=$2
VALIDITY=$3
SERIAL=$(date +%s)

# Sign the key
ssh-keygen -s /etc/ssh/ca/private/ca_key \
    -I "${USERNAME}_cert" \
    -n "$USERNAME" \
    -V "+$VALIDITY" \
    -z "$SERIAL" \
    "$PUBKEY"

# Log certificate creation
echo "$(date): Issued certificate serial $SERIAL for $USERNAME, valid for $VALIDITY" >> /etc/ssh/ca/certificate.log

# Copy certificate to certs directory
cp "${PUBKEY%.pub}-cert.pub" "/etc/ssh/ca/certs/"
EOF

chmod +x "$CA_DIR/sign-user-key.sh"

# Configure sshd to trust CA
echo "TrustedUserCAKeys /etc/ssh/ca/public/ca_key.pub" >> /etc/ssh/sshd_config

# Implement certificate revocation
cat > "$CA_DIR/revoke-certificate.sh" << 'EOF'
#!/bin/bash
# Revoke SSH certificates

SERIAL=$1
echo "serial: $SERIAL" >> /etc/ssh/ca/revoked/revoked_keys
ssh-keygen -k -f /etc/ssh/ca/revoked/revoked_keys -u
echo "RevokedKeys /etc/ssh/ca/revoked/revoked_keys" >> /etc/ssh/sshd_config
systemctl reload sshd
EOF

Implement hardware token support:

# Configure SSH for YubiKey authentication
# Install required packages
apt-get install libpam-yubico

# Configure PAM for YubiKey
cat >> /etc/pam.d/sshd << 'EOF'
# YubiKey authentication
auth required pam_yubico.so id=CLIENT_ID key=SECRET_KEY authfile=/etc/yubikey_mappings
EOF

# Create user mappings
cat > /etc/yubikey_mappings << 'EOF'
alice:cccccccefgh:ccccccccijk
bob:cccccccelmn:ccccccccpqr
EOF

# Configure SSH for security key (FIDO2) authentication
echo "PubkeyAcceptedKeyTypes [email protected],[email protected]" >> /etc/ssh/sshd_config