I currently manage a server at RackSpace for my company, and am planing on switching to Linode in the next month or so, for a better server and to save some money.
In the process of switching, I am going to rebuild our entire system image to incorporate a lot more security, and being more conforming to new users, as we will soon be expanding, and will need to be able to add lots of people to the server.
I am currently writing a script for the server which will generate directories for the user, setup their groups, permissions, etc..
What I am currently facing, is how to securely set up SSH. My current setup is not secure at all, operating on the default port, with plain-text system passwords, even for root users, my account it the only one with a pubkey.
What I want to setup on the server is a higher measure of security in that all users will require a pub key to connect, however, I want all pub keys to have a pass-phrase associated with them, so that in the event the key becomes compromised if they decide to transfer it to multiple systems, there will still be a slim line of defense before the key can be replaced.
Is there any way to force a pass-phrase encrypted security key in RSA keys? Would it be bad practice to generate pub/private keys on the server and distribute them to my staff? What would be the best means of security here?
I am going to have permissions setup so that each user will only have limited access on the server, however I would still like to keep it all as secure as possible, as being a software company, a compromised pub key could lead to the unauthorized access of our git repositories, and everything that keeps us in business. Or am I just being to paranoid?
Any and all suggestions are greatly appreciated.
You could look at the various forms of two-factor authentication out there.
I've looked briefly at Google Authenticator, and I bought a yubikey ages ago but never got round to trying it any further, so can't offer you any practical experience with any of them.
You cannot force an SSH key to have a password. Whether you generate the key on behalf of the user or the user generates the key themselves, one way or another you will have to put the key into the hands of the user... and they will also have to know the passphrase in order to be able to use it. If they have the key and they have the passphrase, they can remove the passphrase if they want.
There are a few options to increase security beyond what you're thinking.
1) Set it up so that you require both a password AND private key to log in since you can't force the passphrase to be attached to the private key.
How do I setup ssh with both private key and password?
2) Use two factor authentication. There are several options for 2 factor. You could use a yubikey, or use google authenticate. I'm sure there are others, but those I have tried before and they work well.
Finally, all secure ssh servers that are open to the world and aren't specifically setup to allow only known IP's should have something like fail2ban installed. This will ensure that bad login's get firewalled (blocked) thereby increasing security still further. It's quite flexible as to the number of bad login attempts too and you can still add your whitelisted IP's (or IP's to ignore).
Personally, I think the two factor method is superior. But some people are a little uneasy about it. You can still combine two factor with private keys if you wish but that would be starting to become overkill.