Ssh is a protocol designed to make network connections between hosts secure. Ssh is a defacto standard for Linux and related operating systems. Ssh encrypts the connection between sides. Ssh gives terminal access between host and server. To get a terminal there need to be an authentication process. The authentication process is generally password-based but there are some caveats for password-based authentication. Brute force attacks can guess the password and give access to the server. To make things more secure key-based authentication can be used. It is far more secure and practical to use in logins or batch operations.
Creating Key Pairs
We will create key pairs. We may ask yourself why pair. Isn’t 1 key enough? In Asymmetric cryptography key pairs where each if different is used to complete each other. One key is named public which is known by the public. One key is named private and only known by the owner.
$ ssh-keygen -t rsa
During the RSA public and private key generation, we will be asked some questions like below. We can answer them all skip all of them just with
- “Enter file in which to save the key (/home/ismail/.ssh/id_rsa):” question is used to specify the RSA key pair which name is `id_rsa` by default and the path where the current user home path under the `.ssh` directory.
- “Overwrite y/n ?” will be asked if there is already a key with the specified path and name and accept to overwrite. If we will not use the old RSA key we can overwrite with “y” answer.
- “Enter passphrase (empty for no passphrase)” question is used to protect created public and private key with encryption where we have to specify a passphrase
- “Enter passphrase” line is used to check previously entered passphrase to prevent mistakes
We have created a key pair based RSA algorithm. Our key pairs are 2048 bit. So it is more secure as long as the longer key size. We can protect our key pair with passphrase but it is not practical for most situations. Our key pair is located by default users’ home directories .ssh file. Keep in mind that while working with ssh configuration we need root privileges. The best way to get root privileges uses the following command.
$ sudo su
Adding User SSH Key to Remote Server
Now we have a key to use. We will use
ssh-copy-id command where we specify the user we want to copy the key and the server hostname or IP address. In this example, we will copy already created an SSH key for the user
ismail in the
$ ssh-copy-id firstname.lastname@example.org
We can see that during the SSH key deployment some information is printed to the screen like source key which will be installed to the remote system. How many keys remained for installation? and at the end of the installation, the “Number of keys added” which is one in this case. Then the SSH command to login passwordless to the remote system with the specified user is printed where we can check like below.
$ ssh email@example.com
Disable Password-Based Authentication for SSH Configuration
After completing these steps we can disable password-based authentication for ssh server.
$ vim /etc/ssh/sshd_config
Open sshd_config file and change PasswordAuthentication and PermitRootLogin line like below
PasswordAuthentication no PermitRootLogin without-password
Apply SSH Server Configuration
Then restart SSH server to load with the new configuration.
$ sudo systemctl restart ssh
Check SSH Server Status
Check if the SSH is working with the systemctl command like below. We will see that the SSH is working properly in the
Active line with a green color. If there is an error you can revert back to the original configuration and restart the SSH service again which is described previously.
$ systemctl status ssh