Ssh is a protocol designed to make network connections between hosts secure. Ssh is de facto standard for Linux and related operating system. Ssh encrypts the connection between sides. Ssh gives terminal access between host and server.
To get a terminal there need to be an authentication process. The authentication process is generally password based but there are some caveats for password based authentication. Brute force attacks can guess the password and gives access to the server.
To make things more secure key based authentication can be used. It is far more secure and practical to used in logins or batch operations.
Creating Key Pairs
We will create key pairs. We may ask yourself why pair. Isn’t 1 key enough. In Asymmetric cryptography key pairs where each if different is used to complete each other. One key is named public which is known by public. One key is named private and only known by owner.
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
The key's randomart image is:
|. o.o . . |
| E =.+ = . |
|o =.B * .. |
|oo B.o .S . |
|o o o. + |
| + .. * . |
| o= . =o+ |
| o= o =*=o. |
We have created a key pair based RSA algorithm. Our key pairs are 2048 bit. So is more secure as long as more longer key size. We can protect our key pair with passphrase but it is not practical for most situations. Our key pair is located by default users home directories
Keep in mind that while working with ssh configuration we need root privileges. Best way to get root privileges use following command.
$ sudo su
Adding Key to Remote Server
Now we have a key to use. We will add this key to a remote server for a user.
$ ssh-copy-id firstname.lastname@example.org
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/ismail/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'email@example.com'"
and check to make sure that only the key(s) you wanted were added.
ssh-copy-id command to add our key for the root user in the remote server whose ip address is
192.168.122.137 . After adding our key we can login remote server without entering passphrase/password like this.
$ ssh firstname.lastname@example.org
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Get cloud support with Ubuntu Advantage Cloud Guest:
packages can be updated.
updates are security updates.
Last login: Sun Sep 25 08:49:18 2016 from 192.168.122.1
Disable Password Based Authentication for SSH Configuration
After completing these steps we can disable password based authentication for ssh server.
$ vim /etc/ssh/sshd_config
Open sshd_config file and change PasswordAuthentication and PermitRootLogin line like below
Apply SSH Server Configuration
Then restart SSH server to load with new configuration.
$ systemctl restart ssh
Have a secure day 🙂