惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hacker News: Ask HN
Hacker News: Ask HN
IT之家
IT之家
S
SegmentFault 最新的问题
T
Tailwind CSS Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 司徒正美
J
Java Code Geeks
博客园 - 聂微东
雷峰网
雷峰网
阮一峰的网络日志
阮一峰的网络日志
The Cloudflare Blog
博客园_首页
大猫的无限游戏
大猫的无限游戏
博客园 - 三生石上(FineUI控件)
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
博客园 - 【当耐特】
腾讯CDC
Apple Machine Learning Research
Apple Machine Learning Research
酷 壳 – CoolShell
酷 壳 – CoolShell
V
V2EX
宝玉的分享
宝玉的分享
小众软件
小众软件
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Hugging Face - Blog
Hugging Face - Blog
月光博客
月光博客
NISL@THU
NISL@THU
T
The Exploit Database - CXSecurity.com
C
CXSECURITY Database RSS Feed - CXSecurity.com
WordPress大学
WordPress大学
有赞技术团队
有赞技术团队
Blog — PlanetScale
Blog — PlanetScale
aimingoo的专栏
aimingoo的专栏
L
LINUX DO - 热门话题
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
F
Fortinet All Blogs
博客园 - Franky
L
Lohrmann on Cybersecurity
S
Secure Thoughts
量子位
V
Vulnerabilities – Threatpost
Last Week in AI
Last Week in AI
博客园 - 叶小钗
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
L
LINUX DO - 最新话题
I
InfoQ
C
CERT Recently Published Vulnerability Notes
Security Archives - TechRepublic
Security Archives - TechRepublic
P
Proofpoint News Feed
G
GRAHAM CLULEY
Cisco Talos Blog
Cisco Talos Blog

Ubuntu blog

MAAS installation: bare metal provisioning is easier than ever | Ubuntu Januscape vulnerability CVE-2026-53359 mitigations available | Ubuntu Managing Ubuntu on bare metal at scale Ubuntu Server: a platform made for enterprise scale | Ubuntu Building an open source chain of trust: new research uncovers key blockers and ways forward | Ubuntu Beyond safety and security: Why automotive open source demands dependability  | Ubuntu DirtyClone Linux kernel local privilege escalation vulnerability fixes available | Ubuntu pedit COW kernel local privilege escalation vulnerability mitigations | Ubuntu Canonical becomes Gold Sponsor of Trifecta Tech Foundation | Ubuntu Challenges designers face in open source (and how to fix them) | Ubuntu Hunting a 16-year-old SQLite bug with TLA+: is dqlite affected? | Ubuntu Anbox Cloud on C4A metal: Android, at scale, without friction | Ubuntu Canonical announces live kernel patching for Arm64 | Ubuntu How to use RISC-V custom instructions with Ubuntu | Ubuntu Ubuntu Summit 26.04: connected by open source | Ubuntu So you need to add microcontrollers to your fleet: now what? | Ubuntu Validating real-world skills through Canonical Academy | Ubuntu Virtualized Android comes to Anbox Cloud | Ubuntu Template: Streamlining open source design contributions | Ubuntu Beyond Mythos: responding to a new threat landscape | Ubuntu A look into Ubuntu Core 26: Building a local AI inference appliance in a virtual machine | Ubuntu A decade of Ubuntu on IBM Z and IBM LinuxONE | Ubuntu AI at the edge: simplifying infrastructure with Cisco and Canonical | Ubuntu The next era of telco clouds: get open infrastructure choice with Sylva and Canonical Kubernetes | Ubuntu What is RDMA over Converged Ethernet (RoCE)? | Ubuntu Beyond tokens per watt – using Ubuntu 26.04 LTS for AI | Ubuntu A look into Ubuntu Core 26: Deploying AI models on Renesas RZ/V series for production | Ubuntu RISC-V profiles – why is RVA23 significant? | Ubuntu AI with AMD ROCm on Ubuntu: your questions answered | Ubuntu Ubuntu and Ubuntu Pro on Azure Cobalt 200 VMs | Ubuntu What is InfiniBand? | Ubuntu How Canonical Support solves hard Linux performance bugs  – even in 12-year old code | Ubuntu Securing AI agent workflows on Ubuntu with the new NVIDIA OpenShell snap | Ubuntu Canonical announces optimized Ubuntu images for TPU virtual machines by Google Cloud | Ubuntu VMware hypervisor deployment using MAAS | Ubuntu Migrating from Apache Spark 3 to Spark 4 | Ubuntu Introducing Workshop: launch sandboxed development environments on Ubuntu with a single command | Ubuntu Run agentic workloads on Arm and Ubuntu | Ubuntu Decoding design: How design and engineering thrive together in open source | Ubuntu Developing web apps with local LLM inference | Ubuntu PinTheft Linux kernel vulnerability mitigation | Ubuntu Canonical announces fully Managed Kubeflow AI operations platform on the Microsoft Azure Marketplace | Ubuntu A look into Ubuntu Core 26: Cloud-powered edge computing with AWS IoT Greengrass and Azure IoT Edge | Ubuntu CVE-2026-46333 (ssh-keysign-pwn) Linux kernel vulnerability mitigations | Ubuntu Finding the blind spot: How Canonical hunts logic flaws with AI | Ubuntu Fragnesia Linux kernel local privilege escalation vulnerability mitigations | Ubuntu Rethinking BYOD security: protecting data without trusting devices | Ubuntu Dirty Frag Linux kernel local privilege escalation vulnerability mitigations | Ubuntu Three weeks to go: A sneak peek of the Ubuntu Summit 26.04 experience | Ubuntu How to use Ubuntu on Windows | Ubuntu Fixes available for CVE-2026-31431 (Copy Fail) Linux Kernel Local Privilege Escalation Vulnerability | Ubuntu Run NVIDIA Nemotron 3 Nano Omni locally in a single command | Ubuntu Why Web Engineering is great | Ubuntu Ubuntu 16.04 LTS has reached the end of standard Expanded Security Maintenance with Ubuntu Pro. Here are your options. | Ubuntu Understanding disaggregated GenAI model serving with llm-d | Ubuntu From Jammy to Resolute: how Ubuntu’s toolchains have evolved | Ubuntu Hybrid search and reranking: a deeper look at RAG | Ubuntu Canonical expands Ubuntu support to next-generation MediaTek Genio 520 and 720 platforms | Ubuntu Intentional leadership at Canonical | Ubuntu Ubuntu Pro comes to Nutanix bare-metal Kubernetes | Ubuntu RISC-V 101 – what is it and what does it mean for Canonical? | Ubuntu Ubuntu Summit 26.04 is coming: Save the date and share your story! | Ubuntu How to manage Ubuntu fleets using on-premises Active Directory and ADSys | Ubuntu Simplify bare metal operations for sovereign clouds | Ubuntu The “scanner report has to be green” trap | Ubuntu Modern Linux identity management: from local auth to the cloud with Ubuntu | Ubuntu Canonical welcomes NVIDIA’s donation of the GPU DRA driver to CNCF | Ubuntu Hot code burns: the supply chain case for letting your containers cool before you ship | Ubuntu
How to Harden Ubuntu SSH: From static keys to cloud identity | Ubuntu
Massimiliano Gori (Massimiliano Gori) · 2026-03-30 · via Ubuntu blog

30 years after its introduction, Secure Shell (SSH) remains the ubiquitous gateway for administration, making it a primary target for brute force attacks and lateral movement within enterprise environments. For system administrators and security architects operating under the weight of regulatory frameworks like SOC2, HIPAA, and PCI-DSS, default SSH configurations are an “open door” that represents an unacceptable risk. As such, accessibility often comes at the cost of security, permitting practices like root login and password authentication that significantly expand the attack surface. At Canonical, we have been focusing on developing solutions to close these gaps, enforcing a “defense-in-depth” strategy that aligns strict access control with centralized identity management.

Linking identity systems to SSH

Traditionally, Linux authentication relied on static credentials stored in /etc/passwd or unmanaged SSH keys scattered across authorized_keys files. At an enterprise scale, this creates massive “identity debt”, with orphaned keys remaining on servers long after employees depart, creating shadow access paths.

To eliminate this vulnerability, SSH should integrate directly with authoritative identity sources. For on-premise environments, systems like System Security Services Daemon (SSSD) can serve as the bridge to Active Directory. When Ubuntu systems join a domain, SSSD handles the authentication exchange, validating Kerberos tickets and automatically creating home directories. This ensures that SSH access privileges are dynamically tied to Active Directory group memberships, instantly revoking access when a user is disabled in the central directory.

How can you use IdPs to authenticate SSH sessions?

For organizations transitioning to cloud based identity providers (IdPs) like Microsoft Entra ID or Google Cloud IAM, we developed authd. This service modernizes the Linux desktop and server by utilizing a modular broker architecture to facilitate authentication against cloud IdPs.

For SSH, authd leverages the OAuth 2.0 Device Authorization Grant (RFC 8628). Since SSH sessions often occur on headless servers lacking a web browser, authd initiates a device flow where the user authenticates via a secondary device (such as a smartphone or a laptop) using their IdP credentials. This architecture allows Ubuntu to enforce Multi-Factor Authentication (MFA) and conditional access policies defined at the IdP level for every SSH login. By centralizing SSH authentication through authd, we eliminate the reliance on static public keys, ensuring that every access request generates an audit trail linked to a managed cloud identity.

Meeting your compliance and cryptographic requirements

For tightly regulated sectors, satisfying compliance controls is not optional. Ubuntu Pro, Canonical’s comprehensive subscription for open source security, provides the infrastructure required to meet stringent standards such as NIST, DISA-STIG, and PCI-DSS. These frameworks mandate rigorous technical controls regarding authentication assurance levels and session management.

With Ubuntu Pro, organizations can automate the application of security benchmarks and hardening profiles across their fleet. This ensures that the cryptographic exchanges and key management protocols underlying SSH connections adhere to the validated standards required for audits 10. We provide the tools to ensure that your gateway security is not just theoretical, but compliant by design.

Can you enforce policies at scale?

Defining a secure configuration is only half the battle. Enforcing it across thousands of nodes is the real challenge. With Adsys, administrators can extend Group Policy Objects (GPOs) to Ubuntu clients.

Using ADsys, we enable the enforcement of security policies and the execution of scripts at system startup or login. This allows security teams to centrally mandate SSH configurations, such as disabling root login or enforcing protocol versions, ensuring that no machine drifts from the approved security baseline. Through centralized privilege management, we can also grant or revoke sudo rights for specific AD groups without manually editing local files, strictly adhering to the Principle of Least Privilege.

Security checklist: hardening SSH

To reduce the attack surface of your Ubuntu infrastructure, we recommend implementing the following hardening measures.

  • Disable root login: set PermitRootLogin no in sshd_config to force user accountability.
  • Eliminate passwords: set PasswordAuthentication no and mandate public key or IdP-based authentication.
  • Enforce MFA: integrate libpam-google-authenticator or use authd with Entra ID/Google IAM for multi-factor verification.
  • Restrict network access: use firewalls to allow SSH connections only from trusted IP ranges or VPNs 15.
  • Active monitoring: configure Fail2Ban to monitor authentication logs and automatically ban IP addresses exhibiting brute-force behavior.
  • Change default ports: configure SSH to listen on a non-standard port (e.g., 2222) to reduce noise from automated scanners.

Read more in our identity management whitepaper

In our newly released whitepaper we provide actionable blueprints and technical specifications to architect, define, and enforce robust identity management controls across your entire server and desktop fleet, regardless of operating system.

We provide a technical examination of modern identity paradigms, including detailed configurations for managing access to cloud and on-premise Linux infrastructure, and practical strategies for seamless and secure integration with legacy AD Domain Services. Furthermore, the paper offers a detailed analysis of the advantages and implementation steps for using SSH certificates for frictionless, auditable SSH authentication, moving beyond simple key management. 

Read the Ubuntu Enterprise Identity Management whitepaper.

Further reading