SSH login account is not the only way of authentication, there is SSH Keys authentication. Having an SSH server configured to accept key only authentication is better than server accepting passwords for authentication cause the later is vulnerable to dictionary attacks. So the most secure way to access a remote server is by using key authentication SSH. And that's what I am going to write a note about now.
First we need to make sure that our local system having ssh installed.
$ sudo apt-get install openssh-clientand make sure than ssh server is installed on the server
sudo apt-get install openssh-serverSSH Key generation
sudo /etc/init.d/sshd start
We need to generate a pair of keys, on public for the server to encrypt the data and a private key, which is the only key that could decipher the encrypted data, and this private key is by definition should be kept private. There is many secure algorithm for encryption with different degree of encryption strength. There is DSA and RSA, as far as I know DSA is the standard encryption for the USA government, DSA keys has a 1024 size limit, whereas RSA is unlimited .I chose to use RSA key with a 2048 length, here are the steps.
$ ssh-keygen -v -t rsa -b 2048The latest scp command is named secure copy, which is a part of the ssh package, it is a secure remote copy command.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ibrahim/.ssh/id_rsa): /home/ibrahim/.ssh/ibrahim_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ibrahim/.ssh/ibrahim_rsa.
Your public key has been saved in /home/ibrahim/.ssh/ibrahim_rsa.pub.
The key fingerprint is:
$ chmod 600 /home/ibrahim/.ssh/ibrahim_rsa
$ scp /home/ibrahim/.ssh/ibrahim_dsa.pub email@example.com:/home/ibrahim/.ssh
on remote server we should do the following.
$ cat /home/ibrahim/.ssh/ibrahim_rsa.pub > /home/ibrahim/.ssh/authorized_keysYou will be asked for the login password on remote before the copying commences. The file will be copied to login user home directory on remote (/home/ibrahim in that case).
Now, let's login to remote server using the password to configure the sshd server to disable password login and enable keys.
#Disable Login password
#Allow forwarding yes
- Uncomment 'PasswordAuthentication no' line only after making sure that the key authentication is working properly.
- Disabling root login is recommended anyway, though not useful after disabling login password.
- Allow forwarding is not recommended for multi user hosting envirnoment where keys could be exposed. Anyway, we should only allow it if we intend to forward keys from server to server but keep all our keys on the local machine, which is what I exactly want to do.
$ ssh -i /home/ibrahim/.ssh/ibrahim_rsa firstname.lastname@example.org should be asked to approve connecting to the new server, and whither you trust it, answer yes, that's because we are connecting to the remote server to the first time.
Hopefully you should now have access to the remote server shell. Now, edit the sshd config file and disable login by password by uncommenting 'PasswordAuthentication no'.
It is recommended to protect the keys with a passphrase. it is straightforward to do so. In fact you will be asked to provide a passphrase to your private key during key generation and you can skip it if you want. In case you did skip it you can lock it again with a passphrase using the following.
$ ssh-keygen -pThen it will prompt to put the key file path and you should enter then the password which must be more than 5 chrs.
Of course using keys is not only useful for security reasons, but also for not asking for password every time you use ssh. But thanks to ssh-agent we could save ourselves a few keystrokes, and more importantly use ssh in automated scripts without interrupting the script to prompt for passwords.
$ eval `ssh-agent`We first ran the ssh agent, which is actually a service. then use ssh-add to add the key, them ssh the remote server with only the user name and the remote server address, without providing the key, and if you have protected the key with passphrase you will be asked for the passphrase when you add it. The ssh-agent help in opening a session so we can use ssh to access remote server without giving any keys or password.
$ ssh-add /home/ibrahim/.ssh/ibrahim_rsa
$ ssh email@example.com