Generate SSH Key Pair
I have used SSH for both lcoal and external server cli access. I have however always used passwords ssh access.
I have recently started VPS hosting and thought it was about time I beefed up my secruity and used SSH Key Pairs. The steos below outline how to use SSH and how to access remote servers without passwords.
This guide should work for Linux, Mac and Windows machines, as Windows has included Open SSH in recent editions.
Open your terminal (Command Prompt on Windows) and navigate to your user ssh folder. This will be a hidden folder in your root user drive called ‘.ssh’. Then type the following:
ssh-keygen -t ed25519 -a 256Here the -t flag represents the type of key to be generated. Ed25519 is the current default. The -a flag is the number of Key deruvation function rounds used. The higher the number the slower passphrase verification, and thus increased protection of bruit-force cacking – the default is 16 rounds. The ed25519 algorithm was added in OpenSSH, but support (at time of writing) is not universal. If you find your end server does not support this algorithm try ecdsa instead. Esdsa has three key sizes you can use. It is recommended to use 521bits. Your keygen code will therefore be:
ssh-keygen -t ecdsa -b 521 -a 256Your terminal will then start generating the public and private key pairs. You will be promte to enter a name for the key pair. If you do not it will use the default name for that algorithm. If you are going to be SSHing into multiple servers you will need to choose a name for the key that corresponds to the server you are accessing. Each server will need its own unqiue key pair. By default the SSH key pair will be named by the algorithm you chose, e.g. id_ed25519. You may want to continue this format so you know which algorithm you used.
I chose ‘local_server_ed25519_key’ for my file name.
You will now have 2 files. A private key with no file extension and a public key with a .pub extension.
You then need to test your ssh connection to the server. In the same terminal windows ssh into the server with
ssh <username>@<ipaddress>In my case this would be
ssh user@192.168.0.200Transfer public key to server
There are several ways to transfer the public key to the server. You could email it to the server administrator, physically copy it or tranfer it with SFTP. The way you do this will depend on the setup of your server.
If you can use scp you may find this the easiest option.
scp <public_key> <user>@<ipaddress>:<remote_file_location>using the same server as easier my scp code would be
scp local_server_ed25519_key.pub user@192.168.0.200:/home/user/local_server_ed25519_key.pubThis transfers the public key to the home folder on the remote server. You can then use this key in the enxt step of the process.
Add the key to the authorized keys for the user
SSH into the remote server as before.
Add the public key to the authorized keys file. This will be in the users .ssh folder on the remte server.
cat <public_key> >> /home/<user>/.ssh/authorized_keysIn my example i would need to enter
cat local_server_ed25519_key.pub >> /home/user/.ssh/authorized_keysExit your ssh connection to test connecting with the SSH key pair.
In your terminal try to connect to your remote server with
ssh -i <path_to_keyfile> <user>@<ipaddress>As I am in my local .ssh folder my connection would be
ssh -i ~/.ssh/local_server_ed25519_key user@192.168.0.200Great you can now connect via your SSH Key Pair. However typing the keyfile each time you connect can become laborious. We can make use of a SSH config file. in you .ssh folder create a file with no extension called config. Edit this in your favourite file editor with the following information:
Host hostname
HostName <ip_address_or_hostname>
User <username>
Port <port_number>
IdentityFile <path_to_keyfile>Again, using my above examples, my config file would contain the following
Host localserver
HostName 192.168.0.200
User user
Port 22
IdentityFile ~/.ssh/local_server_ed25519_keyYou can then ssh into your local server using the hostname – localserver
ssh localserverYour ssh client will then read your config file and use the details entered in it to connect to your remote server. You can add as many Hosts to your config file as you need to connect with.
Your days of remembering IP addresses are now over. You can safely remove the .pub file from your local machine.
Disable SSH PasswordAuthentication
BE WARNED: If you do this, and you loose access to your private key you will not be able to connect to your remote server. If you have physical access to the server this may not be as much of a problem. If you do not, be very careful about following these next steps. I take no responsibility if you follow the next steps. I would strongly suggest backing up your private key somewhere.
Log into your remote server
ssh localserverand navigate to your ssh folder inside /etc
cd /etc/sshYou can then edit your sshd_config file and look for the following line
#PasswordAUthentication yesand change it to
PasswordAuthentication noand resetart the ssh service
sudo systemctl restart sshdExit your current ssh connection and try to log back in with
ssh <user>@<ipaddress>
ssh user@192.168.0.200and you should receive the following error:
user@192.168.0.200: Permission denied (publickey).