How To Set Up SSH Keys
A quick guide on using SSH Keys to secure your connections.
Blue Light Tech
SSH keys give a more safe method of logging in to a virtual private server other than using a password alone. While a password can ultimately be cracked using a brute-force attack, SSH keys are extremely difficult to decipher by brute-force alone. Creating a key pair supplies you with two lengthy sequence of figures: public as well as a private-key. It's possible for you to set the public-key on any host, and unlock it by linking to it using a user that already has the private-key. Two-match up, the machine unlocks without the need for a password. It's possible for you to raise security even further by shielding the private key using a pass phrase.
- Create the RSA Key Pair
- Save Passphrase and the Keys
- Duplicate the Public Key
- Optional - Disable the Password
Create the RSA Key Pair
Step one would be to create the key pair on the user account (there's a high probability that this may only be your pc):
ssh-keygen -t rsa
You should get an output as shown in the image below:
Save Passphrase and the Keys
After you have entered the command, you'll get a couple more questions:
Enter file in which to save the key (/home/williams/.ssh/id_rsa):
It's possible for you to press enter here, saving the file (in this instance, my user is called williams).
Enter passphrase (empty for no passphrase):
You will see an output as the image below:
It is your decision whether you would like to make use of a pass phrase. Inputting a pass phrase has its advantages. Using a key, no matter the encryption, is still reliant on it not being accessible by a 3rd-party. By adding another layer of protection with a passphrase, even if the key manages to end up in the wrong hands, the hacker will still need to know the passphrase to use it. However, this does then require input of a password on connection, which may not suit your application requirements.
The complete key generation procedure resembles this:
Duplicate the Public Key
After the pair is created, it is time to time to put the public-key on the digital server that you would like to make use of.
It's possible for you to duplicate the public key to the brand new machine's authorized keys file with the ssh-copy-id command. Be sure to replace instance username and IP number.
Another method is to copy the keys over using the following command:
cat ~/.ssh/id_rsa.pub | ssh firstname.lastname@example.org 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'
Now it is possible to proceed and log in to email@example.com and you won't be prompted for a password. But in the event you place a pass phrase, you'll be requested to go input this on connection.
Optional - Disable the Password
After you have duplicated your SSH keys unto your host and ensured you could log in with the SSH keys it is possible to limit the root log-in to just be allowed via SSH keys.
To be able to do that, start the SSH config file:
sudo nano /etc/ssh/ssh_config
Within that file, locate the line which includes PermitRootLogin (or add it if it’s not there already) and change it to ensure that users can only connect with their SSH key:
You should see this:
The ssh daemon must be reloaded to apply the changes:
Simple, but worked for me! Thanks guys