Table of Contents
SSH is the recommended option for remote access since telnet transmits plain text passwords. You can ease the hassle of logging in via SSH by using SSH keys and keychain which loads your private key into memory on login and if you've placed your public key in ~/.ssh/authorized_keys on the remote server will mean you login automagically. Its recommended that you upgrade keys to at least RSA-4096 or better still the newer ed25519 although not all servers will support this yet.
SSH Hardening
There are a few different things you can do to improve the SSH security of your system. Typically these are defined in /etc/ssh/sshd_config
- Disable root login
PermitRootLogin no - Change the port from
22to something elsePort ####(or open a port on your routers firewall other than22and have it port-forward to 22 on the server). - Use Keychain for Passwordless login and disable passwords in
sshdby settingPasswordAuthentication no. - Port knocking can also be used, this is where SSH daemon is configured only to permit login after a certain sequence of ports are tried in a specific order within a specified time-frame. Its another layer of security.
Password-less SSH
Its a bit of a pain having to enter passwords each and every time, and not overly secure having cron run with your ssh password stored. The way to get round this is to use ssh keys. The following is based on the Gentoo Keychain guide.
Public key generation
Start by generating an ssh key for your user, its recommended to use ed25519 (see here). You can do this on your server (e.g. desktop) and use the same key on your client (e.g. laptop). Perhaps not the most secure thing but I found it got complicated using individual keys for each computer.
- snippet.bash
$ ssh-keygen -t ed25519
Once the key has been generated you need the public part on each computer, use scp (or rsync) to copy them between machines in the first instance using passwords (NB - Don't disable Password login as mentioned above until you have exchanged keys!).
- snippet.bash
$ rsync -av ~/.ssh/id_ed25519.pub anothercomputer@user:~/.ssh/.
You should now be able to ssh between your server and client without having to enter your password for each machine. Instead you are prompted for your RSA key password, which is not the same thing (even if you used the same password). Whats the point of that, I've substituted one password request for another? I hear you asking, well this becomes useful because you can use ssh-agent (which is part of the openssh software package) to 'hold' your password keys which you enter once when you log-in so that you don't have to enter your password each time you ssh.
ssh-agent
The 'trick' to getting this working is to ensure that ssh-agent starts up, by default this should happen automatically when X starts, check with ps -A and if it is running the simplest thing would be to reboot and you should be able to ssh without being prompted for a password.
If you are asked for your password then its possible that either ssh-agen isn't starting, or its not using your key, in which case add the following to your ~/.bash_profile…
- snippet.bash
ssh-agent ssh-add ~/.ssh/id_rsa
…and you should now be able to ssh to the ReadyNAS without being prompted for passwords.
Keychain
Finally on your desktop/server you should install Keychain which will hold your password keys between logins. If you're using Gentoo simply emerge it, along with ssh-askpass-fullscreen which will prompt you for your password keys when logging in through a GUI…
- snippet.bash
# emerge -av keychain ssh-askpass-fullscreen
…and then add the following lines to your ~/.bashrc or ~/.zshrc so that it is enabled at each terminal session started…
- snippet.bash
/usr/bin/keychain --agents ssh.gpg ~/.ssh/id_ed25519 your@email.com . ~/.keychain/$HOSTNAME-sh . ~/.keychain/$HOSTNAME-sh-gpg
