pub/priv keys are the best way to secure ssh, but I wanted something a bit simpler for a box (Raspberry Pi) I just setup. I found that two-factor authentication for SSH fits the bill. On Debian, it is pretty easy:
apt-get install libpam-google-authenticator libpam0g-dev libqrencode3
Run this command to setup your two-factor authenticator (Google Authenticator, Authy, etc):
This will present you with a QR code that you can scan, plus a secret key if you can’t scan the QR code. It will also give you give backup static codes for those “just in case” moments.
The tool setups up a .google_authenticator file in your directory that stores this information for authentication.
Edit /etc/pam.d/sshd and add these lines after the “@include common-auth” line:
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so
Create the file /etc/security/access-local.conf:
# only allow from local IP range
+ : ALL : 10.0.1.0/24
+ : ALL : LOCAL
- : ALL : ALL
Edit the SSHd configuration file /etc/ssh/sshd_config and change the “no” to a “yes” for this line:
Restart the SSH daemon and enjoy.
The bit with the accessfile is so that hosts on the local network (which we assume to trust) do not have to use two-factor authentication to get in via ssh. If you don’t trust the boxes on your local network, feel free to remove that bit.