A little background on what SSH keys are:

SSH keys are a much more reliable and secure way to log into any of your virtual devices rather than using a traditional username and password. Most passwords can be decrypted with hacks such as a brute force attack. The beauty of SSH keys are the fact that it is close to impossible to decrypt with brute force. After you generate a key pair you will be presented with a very long string of characters, these are a public key and a private key. You can use the public key on any server you desire, and then access them by connecting to it with a client that already has its own unique private key. If the two keys match, the system will grant you access without any need of the traditional password. To further increaste your security you can use a passphrase to protect the private key.

First Step – Create your RSA Key Pair

The very first step is to create the key pair on the client machine, there is a very high chance that the client machine will be your PC

ssh-keygen -t rsa

Second Step – Store the passphrase, public and private keys

As soon as you have finished entering the Gen Key command, you will get a couple more questions:

Enter file in which to save the key (/home/demo/.ssh/id_rsa):

Its is safe to press enter here, saving the file to the user home, in this example the username is demo

Enter passphrase (empty for no passphrase):

It is entirely up to you whether you want to use a passphrase, although we would strongly recommend it because no matter what level of encryption you are using, it still depends on the fact tha it is not visible to anyone else but yourself.

In the event of the passphrase protected private key falling into an unauthorized persons possession, they will be denied the ability to log in to its related accounts until they are able to decypher the passphrase, giving more time to the user who got hacked. The only disadvantage to having a passphrase is having to type it out each time you use the key pair.

The full key generation process looks like this:

ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/demo/.ssh/id_rsa): 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /home/demo/.ssh/id_rsa.

Your public key has been saved in /home/demo/.ssh/id_rsa.pub.

The key fingerprint is:

4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 demo@a

The key's randomart image is:

+--[ RSA 2048]----+

|          .oo.   |

|         .  o.E  |

|        + .  o   |

|     . = = .     |

|      = S = .    |

|     o + = +     |

|      . o + o .  |

|           . o   |

|                 |

+-----------------+

The public key is now located in /home/demo/.ssh/id_rsa.pub The private key (identification) is now located in /home/demo/.ssh/id_rsa

Third Step – Copying the Public Key

As soon as the key pair has finished generating, It is time to place the public key onto the virtual server you desire to use.

You have the ability to copy the public key into the new machine's authorized_keys file with the ssh-copy-id command line.

Double check that you are using the correct username and IP address below.

ssh-copy-id user@186.1.1.1

Another option would be to paste the keys using SSH

cat ~/.ssh/id_rsa.pub | ssh user@186.1.1.1 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Whichever command you choose, you should see something similar to this:


The authenticity of host '186.1.1.1  can't be established.
 
RSA key fingerprint is b1:2d:33:67:ce:35:4d:5f:f3:a8:cd:c0:c4:48:86:12.
 
Are you sure you want to continue connecting (yes/no)? yes 
Warning: Permanently added '186.1.1.1' (RSA) to the list of known hosts.
 
user@186.1.1.1's password: Now try logging into the machine, with "ssh 'user@186.1.1.1'", and check in:

~/.ssh/authorized_keysto make sure we haven't added extra keys that you weren't expecting.

Now you are clear to go ahead and log into user@186.1.1.1 and you should not be prompted for a password. Although, if you setup a passphrase you will be asked to enter the passphrase at that given time and whenever else you plan to login in the near future.

Step Four (Optional) – Disable Root Login and Password

Now, this step is completely optional and not really required. Once you have successfully copied your SSH keys onto your server, reassured that you can log in with your SSH keys alone, you can go ahead and completely restrict the root login and only be premitted to log in via SSH keys.

To start off, open up the SSH config file and enter the following:

sudo nano /etc/ssh/sshd_config

Enclosed in that file, find the lines

PermitRootLogin

and change it to ensure that all users can only connect with their SSH key:

PermitRootLogin without-password

Now put the changes into play:

reload ssh
Was this answer helpful? 0 Users Found This Useful (33 Votes)

Most Popular Articles

Using SSH Key Pair Authentication

You’ve used password authentication to connect to your server via SSH, but there’s a more secure...