Beyond PasswordAuthentication no
Disabling password auth is table stakes. The real hardening comes from SSH certificates
and layered access control. Certificate auth lets you rotate trust without touching every
authorized_keys file across your fleet.
SSH Certificate Authority
# Generate the CA key (keep this offline)
ssh-keygen -t ed25519 -f /etc/ssh/ca/ssh_ca -C "amitnepal SSH CA 2025"
# Sign a user key
ssh-keygen -s /etc/ssh/ca/ssh_ca \
-I "amit@workstation" \
-n amit \
-V +52w \
~/.ssh/id_ed25519.pub
# On the server: trust the CA
echo "TrustedUserCAKeys /etc/ssh/ca/ssh_ca.pub" >> /etc/ssh/sshd_config
Certificates expire. When they do, access stops — no manual revocation needed for routine rotation.
Port Knocking with knockd
# /etc/knockd.conf
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
Port knocking eliminates 100% of automated SSH brute-force bots from your logs.
Additional sshd_config Hardening
AllowUsers amit@192.168.1.0/24
MaxAuthTries 3
LoginGraceTime 20
ClientAliveInterval 300
ClientAliveCountMax 2
Banner /etc/ssh/banner.txt
Defensive Takeaways
- Certificate auth makes bulk revocation trivial — revoke the CA, issue a new one
- Combine certificates with hardware tokens (YubiKey) for critical systems
- Port knocking reduces attack surface without full VPN overhead
- Always restrict
AllowUsersby both user and source IP where possible
Keep going
Get the next writeup in your inbox
New posts delivered when I publish. No spam.