IntroductionSSH is in essential tool for any Linux user, but many people aren't making the most of its robust capabilities, namely secure logins with keys.
SSH key pairs allow you to login much more securely by limiting logins to only those computers that possess an encrypted key that has been paired with the login target. Unlike passwords, these keys can't be guessed, so there's no need to worry about someone trying thousands of passwords to break into your computer or server. No key equals no access.
The good news is; these keys are very easy to set up and use, so you don't have to worry about maintaining configurations or wading through a long setup process.
The Need For KeysIf you run a public facing machine, you need these keys. Sorry, but if you're using password authentication, you are more vulnerable.
Passwords are terrible. That's been well known for some time now. Most major web applications and utilities that rely on passwords offer 2-factor authentication because they recognize the shortcomings of even the strongest passwords. For SSH, keys are the second authentication factor. They provide a second step in guaranteeing only authorized access to a system.
Generating a Key PairThe majority of the work here is done on your desired client system, and you will send one of the keys in the pair off to the server that you want to access.
If you don't want to get too invested in customizing the key generation process, that's actually alright. Most of the options afforded by the command that generates keys aren't all that useful under common circumstances.
The most basic way to generate a key is with the following linux command.
$ ssh-keygen -t rsaWith that command, you are running just about everything with the defaults. The only thing that you need to specify is the type of encryption being used,
It will ask you if you want to include a password for your key. This is not entirely necessary, and many people don't. If you do want and added layer of security, by all means, add a strong passphrase too. Just be aware that you will have to enter it every time you connect using that key.
There is another option that you can use if you want to add more security to your key. By adding the
-bflag to your
ssh-keygencommand, you can specify the amount of bits used. The default is
2048, which should be fine in most cases. Here's what an example looks like.
$ ssh-keygen -b 4096 -t rsa
Transferring A Key To The ServerIn order for the whole thing to work, you need to give the machine that you're trying to connect to part of the key pair. That's why they're generated in pairs, after all. The files with the
.keyis your private key. Don't share or distribute that one. The one with the
.pubextension, however, should be sent to the machines that you want to connect with.
Most Linux systems come with a very simple script that allows you to push your public key to the machines that you want to connect to. This script,
ssh-copy-idallows you to send your key off with only one command.
$ ssh-copy-id -i ~/.ssh/id_rsa.pub email@example.comOf course, you would substitute in the username of the user you would connect to on the target machine and that computer's actual IP. A domain name or hostname would work too.
If you configured your server to use SSH on a different port, you can specify the port to
ssh-copy-idby using the
-pflag followed by the desired port number.
Logging InLogging in via SSH should be about the same as it was before, except that you will be using your key pair for validation. Just connect over SSH like you normally would.
$ ssh firstname.lastname@example.orgIf you didn't configure a password for you key, you will automatically log in. If you did add a password, you will be prompted to supply it before the system logs you in.
Disabling Password LoginsNow that you are using SSH Keys to log in, it's a good idea to disable password based logins for SSH. This way, you aren't vulnerable to someone discovering the password to one of your accounts and using it. All password logins will be disabled.
On the machine that you wish to connect to, presumably a server, find the SSH configuration file. It's usually located at
/etc/ssh/sshd_config. Open up that file in your text editor of choice as root or with sudo.
# vim /etc/ssh/sshd_configFind the line,
PasswordAuthenticationand uncomment it, if you have to, and set its value to
PasswordAuthentication noThere are a couple of other options that you might want to change in that section for better security as well. This way, only logins with your key will be permitted.
PasswordAuthentication no PermitEmptyPasswords no HostbasedAuthentication noWhen you're done, save and exit the file. You're going to need to restart the SSH service for the changes to take effect.
systemctl restart sshdor