SSH Key Security on Untrusted Networks

TL;DR

Yes, an SSH key login can be compromised on a network controlled by someone malicious. However, you can significantly reduce the risk with several practical steps. This guide explains how.

Understanding the Risks

When connecting to a remote server via SSH using keys, your private key stays on your computer. The public key is stored on the server. A ‘bad actor’ (attacker) on the network could try to steal your private key or intercept and modify communication between you and the server.

Steps to Secure Your SSH Connection

1. Use a Strong Passphrase for Your Private Key
   • A passphrase adds an extra layer of security. Even if your private key is stolen, it’s useless without the passphrase.
   • Generate keys with a passphrase:

     ssh-keygen -t rsa -b 4096

     . You will be prompted for a passphrase during generation.

2. Disable Password Authentication on the Server
   • If password authentication is enabled, attackers can try brute-force attacks. Disabling it forces them to target your key.
   • Edit /etc/ssh/sshd_config (you’ll need root access). Find these lines and change them:

     PasswordAuthentication no
     ChallengeResponseAuthentication no

   • Restart the SSH service:

     sudo systemctl restart sshd

     or

     sudo service ssh restart

     .

3. Use Key-Based Authentication Only
   • Ensure your server is configured to *only* allow key-based authentication. This prevents password attacks.
4. Restrict Key Permissions on Your Local Machine
   • Your private key should only be readable by you.
   • Change permissions:

     chmod 600 ~/.ssh/id_rsa

     . This makes the file readable and writable only by your user account.

5. Use a Jump Host (Bastion Host)
   • Connect to an intermediary server (the jump host) that you trust, then connect from there to your final destination server. This hides the direct connection between your computer and the target server.
   • Configure SSH agent forwarding carefully on the jump host if needed.
6. Port Forwarding with a VPN
   • Establish a secure VPN connection before connecting via SSH. This encrypts all your network traffic, including SSH communication.
7. Consider Using Multi-Factor Authentication (MFA) for SSH
   • Adds another layer of security beyond the passphrase.
   • Google Authenticator or other TOTP apps can be used with SSH.
8. Regularly Audit Your Authorized Keys File
   • On your server, review ~/.ssh/authorized_keys to ensure only trusted public keys are present. Remove any unfamiliar or outdated keys.
9. Use SSH Certificates (Advanced)
   • SSH certificates provide a more robust and scalable authentication mechanism than simple key-based authentication. They allow you to issue short-lived credentials, reducing the impact of compromised keys.

Detecting Compromises

Monitor your server logs for suspicious activity:

• Failed SSH login attempts (even with key authentication).
• Unexpected processes running on the server.
• Unauthorized changes to system files.