The first step to implement core hardening on Ubuntu server, is to start with local machine – OpenSSH client.
Because passwords are ssuceptible to brute-force attacks, it is strongly recommend to switch to public key-based authentication.
Enforce Key-based Authentication#
At local machine, generate a secure key pair:
% ssh-keygen -t ed25519 -C "username@local_machine"
The cmdline above use ed25519 algorithm to generate key pair.
Curretnly it is the most recommended choice for SSH keys due to its superior security, performance, and efficiency.
However, compatibility with older systems remains the primary reason for choosing RSA.
% ssh-keygen -t rsa -b 4096 -C "username@local_machine"
The cmdline above use RSA algorithm with 4096 bits to generate the key pair.
Older version of OpenSSH (pre-version 6.5, released in 2014) do not support
ed25519.
Why Ed25519?#
- Higher security with shorter keys. A 256-bit
ed25519key is roughly the same level as 4096-bit RSA key. - Superior performance (generating keys, signing, verifying authentiction).
- Resistance to attacks (side-channel) and robust against PRNG failure (comparing to RSA)
- Compact size (shorter public key at ~ 68 chars) for easier management.
Once the key-pair is generated, just copy the public key to
Ubuntuserver with:ssh-copy-id username@ubuntu_server_ip