Lately, I've been implementing a solution to make SSH connections more secure and manageable (i.e., getting away from password authentication). A couple of benefits public-key authentication has over the default password authentication is:
#Generate the Key Pair
RSA authentication will need a passphrase to encrypt the private key. It is highly recommended to create a strong passphrase for the private key. A strong passphrase is at least 10 - 15 characters long and not a grammatical sentence. The following command creates a 2048-bit RSA key pair and prompts you for a passphrase:
#Identify and Copy the Authorized Keys
Now that you have a public-key file, you can simply place that key in a remote account on any machine running the SSH server (usually named sshd). Once you've set up the account properly, your private key will allow easy access to it.
To allow access to an account, simply create the file ~/.ssh/authorized_keys. The file contains one key per line. Here is one example that will copy the public key to the remote host account:
Verify (or set) the permissions, on the remote host account, for the .ssh folder and the authorized_keys file:
#SSHD Configuration
By default, the account password also allows access to the account. You can disable this feature in the OpenSSH sshd by modifying /etc/ssh/sshd_config (or the equivalent on your system) and adding (or modifying) this line:
You also want to verify the PubkeyAuthentication property of the /etc/ssh/sshd_config file is enabled.
- You only have to remember the passphrase of your private key rather than possibly dozens of username/password combinations for remote hosts.
- A password sent across the network, even protected by an SSH secure channel, can be captured when it arrives on the remote host if that host has been compromised.
#Generate the Key Pair
RSA authentication will need a passphrase to encrypt the private key. It is highly recommended to create a strong passphrase for the private key. A strong passphrase is at least 10 - 15 characters long and not a grammatical sentence. The following command creates a 2048-bit RSA key pair and prompts you for a passphrase:
$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/marc/.ssh/id_rsa):
Created directory '/home/marc/.ssh'.
Enter passphrase (empty for no passphrase): Thi$isy0urP@ssphra$e
Enter the same passphrase again: Thi$isy0urP@ssphra$e
Your identification has been saved in ~/.ssh/id_rsa.
You public key has been saved in ~/.ssh/id_rsa.pub.
The key fingerprint is:
39:c0:50:dd:a7:0a:8f:bb:6e:6a:e0:83:98:34:88:a5 marc@test.internal
#Identify and Copy the Authorized Keys
Now that you have a public-key file, you can simply place that key in a remote account on any machine running the SSH server (usually named sshd). Once you've set up the account properly, your private key will allow easy access to it.
To allow access to an account, simply create the file ~/.ssh/authorized_keys. The file contains one key per line. Here is one example that will copy the public key to the remote host account:
$ cat ~/.ssh/id_rsa.pub | ssh marc@remotehost 'cat >> ~/.ssh/authorized_keys'
Verify (or set) the permissions, on the remote host account, for the .ssh folder and the authorized_keys file:
$ chmod 0700 ~/.ssh
$ chmod 0600 ~/.ssh/authorized_keys
#SSHD Configuration
By default, the account password also allows access to the account. You can disable this feature in the OpenSSH sshd by modifying /etc/ssh/sshd_config (or the equivalent on your system) and adding (or modifying) this line:
PasswordAuthentication no
You also want to verify the PubkeyAuthentication property of the /etc/ssh/sshd_config file is enabled.
PubkeyAuthentication yes
