Security – Is it really secure to connect to a server by SSH from hotels during a journey

physical-securitySecurity

Is it really secure to connect to a server using SSH from hotels during a journey?

Server:
– CentOS 7
– Authorisation only by RSA key – password auth is denied
– Non-standard port

Workstation:
– Ubuntu 14
– user password
– password to use RSA key (standard method)

Maybe it will be a good idea to keep half of the private RSA key on a USB stick, and automatically (by script) add this half to ~/.ssh/private_key before connecting?

Internet will be through either WIFI in hotels, or cable in a rented apartment.

UPD
Sorry for being unclear at first. I mean security in two aspects here:

Security of just the SSH connection through an untrusted network.
Security of a computer with the key necessary for the SSH connection – if it is stolen, how to protect the server…

Best Answer

So, regarding making an ssh connection over an explicitly untrusted connection.

Assuming you already have an ~/.ssh/known_hosts entry from a previous connection, yes you should be able to connect without worrying about whatever the network is safe or not. The same goes if you have some other means of verifying the ssh host key.

If you have never connected to the server before, nor having any other way of verifying the ssh host key, then you might want be more careful regarding the network you use to connect.

Related Solutions

SSH Passphrase Remembered in MacOSX Snow Leopard – How to Manage

OS X will automatically launch ssh-agent for you when it needs your private key. Your key will then be available through ssh-agent (without entering your passphrase again) until you log out of OS X or remove the key (via ssh-add -d or ssh-add -D to remove all keys).

This is similar to standard *NIX system behavior with ssh-agent, and allows useful functionality like agent authentication forwarding (ssh -A) to work so you don't have to put your private key all over the network.

If you want to disable ssh-agent (for all users of your Mac) you may remove the file /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

Another way is to unload & disable the LaunchAgent:

sudo launchctl -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

The -w causes it to not just unload but mark & remember it as disabled.

Linux – Ultra Secure Linux Server SSH Only

iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --name sshattack --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name sshattack --rcheck --seconds 60 --hitcount 4 -j LOG --log-prefix 'SSH REJECT: '
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name sshattack --rcheck --seconds 60 --hitcount 4 -j REJECT --reject-with tcp-reset

See, eg, my writeup on the subject for more details (including where in your firewall rules to put these, which does matter).

The other respondents' recommendations to allow only key-based ssh I thoroughly endorse, because it renders brute-force password guessing useless; but you could go even further and allow only two-factor authentication, see my writeup on the yubikey for more details on that.

Best Answer

Related Solutions

SSH Passphrase Remembered in MacOSX Snow Leopard – How to Manage

Linux – Ultra Secure Linux Server SSH Only

Related Topic