In the world of cloud infrastructure, security is paramount. One area often overlooked is generic PEM (Privacy Enhanced Mail) keys for server access. This practice can introduce significant risks, as shared or poorly managed PEM keys can leave systems vulnerable. This guide will walk you through the best practices for generating unique PEM keys for individual user authentication, setting up user directories and permissions, and implementing secure SSH authentication with private keys. We’ll also cover granting sudo privileges with enhanced security measures to ensure your server remains robust and protected.

Understanding the Risks of Generic PEM Key Usage

Generic PEM keys are often used to allow multiple users access to a server using the same key. While this approach may seem convenient, it introduces serious security vulnerabilities:

  • Shared Responsibility: With a generic PEM key, tracking which user is accessing the server is difficult. If an unauthorized action is performed, tracing the source can become problematic.
  • Critical Mismanagement: When multiple users share the same key, the chances of it being exposed, misplaced, or compromised increase significantly.
  • Lack of Accountability: Using a single key prevents administrators from assigning specific access permissions or revoking individual user access without impacting others.

Each user should have a unique PEM key to mitigate these risks, ensuring a clear audit trail and controlled access management.

Generating Unique PEM Keys for Secure Access

Creating unique PEM keys for each user is a simple yet powerful step in securing your server. Here’s how to generate them:

  1. On the Client Machine:

Use the following command to create a unique key pair:
ssh-keygen -t rsa -b 4096 -C “your_email@example.com”

This command generates a public-private key pair. You’ll be prompted to name the file and set a passphrase for extra security.

  1. Distribute the Public Key:

Share the public key (usually saved in the ~/.ssh/ directory as id_rsa.pub) with the server administrator, who will install it in the appropriate user’s directory for SSH access.

Setting Up Individual User Directories and Permissions

Once the unique keys are generated, the next step is setting up individual user directories and permissions on the server to manage access properly:

  1. Create User Accounts:

For each new user, create a dedicated account:
sudo adduser username

  1. Set Up SSH Directories:

For each user, create an .ssh directory and set proper permissions:
sudo mkdir /home/username/.ssh

sudo chmod 700 /home/username/.ssh

sudo chown username:username /home/username/.ssh

  1. Install the Public Key:

Add the user’s public key to the authorized_keys file:
sudo touch /home/username/.ssh/authorized_keys

sudo chmod 600 /home/username/.ssh/authorized_keys

sudo chown username:username /home/username/.ssh/authorized_keys

Paste the public key into the authorized_keys file to enable SSH access.

Implementing Secure SSH Authentication with Private Keys

Now that the individual user directories and keys are set up, secure SSH authentication can be enforced:

  1. Disable Password Authentication:

Ensure that users can only log in with their private keys by editing the SSH configuration file (/etc/ssh/sshd_config):
PasswordAuthentication no

Restart the SSH service to apply the changes:
sudo systemctl restart sshd

  1. Enforce Key Usage:

Requiring PEM keys for SSH access will prompt users to use their private key when connecting to the server, adding a layer of security.

Granting Sudo Privileges with Enhanced Security Measures

For users that need elevated privileges, sudo access can be granted with enhanced security settings to prevent misuse:

  1. Add the User to the Sudoers File:

Use the following command to grant a user sudo privileges:
sudo usermod -aG sudo username

  1. Restrict Specific Sudo Commands:

Instead of granting full sudo access, limit the commands users can execute by editing the /etc/sudoers file:
username ALL=(ALL) NOPASSWD: /usr/bin/command

  1. Set Up Sudo Logging:

To monitor all sudo commands executed, configure sudo to log activities by editing /etc/sudoers and adding the following line:
Defaults log_output

  1. Enforce Multi-Factor Authentication (MFA) for Sudo Access:

Implement MFA for users who need sudo privileges. Tools like Google Authenticator can be configured for this purpose, adding an extra layer of protection.

Conclusion

By generating unique PEM keys for each user, setting up individual user directories, enforcing secure SSH authentication, and enhancing sudo privileges with robust security measures, you can significantly improve the security of your servers. This practice reduces the risk of unauthorized access and enhances accountability and control over your server environment.

References

Amazon EC2 key pairs and Amazon EC2 instances

Manage access keys for IAM users