Petter Holt Juliussen • Mail | Mastodon | GitHub | Letterboxd

for later reference.

SSH

2019-04-04

Public key authentication

Generate a Key Pair

A SSH key pair consists of a public and private key.To generate a new key pair, use the following command at the terminal of the local machine (client):

ssh-keygen

You will be prompted for a passphrase to secure the key with. You may either enter a passphrase or leave the passphrase blank.

Note: If you leave the passphrase blank, you will be able to use the private key for authentication without entering a passphrase. If you enter a passphrase, you will need both the private key and the passphrase to log in. Securing your keys with passphrases is more secure, but both methods have their uses and are more secure than basic password authentication.

This generates a private key, id_rsa, and a public key, id_rsa.pub, in the .ssh directory of the local user's home directory (by default stored in /users/localuser/.ssh/id_rsa). The private key should not be shared with anyone who should not have access to your servers!

ssh-keygen - authentication key generation, management and conversion
================================================================================================
Generates, manages and converts authentication keys for ssh. ssh-keygen can create RSA keys 
for use by SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2. The 
type of key to be generated is specified with the -t option. If invoked without any arguments, 
ssh-keygen will generate an RSA key for use in SSH protocol 2 connections.

Normally each user wishing to use SSH with RSA or DSA authentication runs this once to create 
the authentication key in ~/.ssh/identity, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the 
system administrator may use this to generate host keys, as seen in /etc/rc.
------------------------------------------------------------------------------------------------
ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment] [-f output_keyfile]
------------------------------------------------------------------------------------------------

Man: ssh-keygen

Copying the Public key

After generating an SSH key pair, the key must be copied to the host machine. If the local machine has the ssh-copy-id script installed, one can use it to install the public key to any user using the corresponding login credentials for:

ssh-copy-id sammy@your_server_ip

The public key will be added to the remote user's .ssh/authorized_keys file. The corresponding private key can now be used to log into the server.

To manually install the key, use the following command at the terminal of the local machine to print your public key (id_rsa.pub):

cat ~/.ssh/id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBGTO0tsVejssuaYR5R3Y/i73SppJAhme1dH7W2c47d4gOqB4izP0+ fRL
fvbz/tnXFz4iOP/H6eCV05hqUhF+KYRxt9Y8tVMrpDZR2l75o6+xSbUOMu6xN+uVF0T9XzKcxmzTmnV7Na5up3QM3DoSRYX/
EP3utr2+zAqpJIfKPLdA74w7g56oYWI9blpnpzxkEd3edVJOivUkpZ4JoenWManvIaSdMTJXMy3MtlQhva+j9CgguyVbUkdz
K9KKEuah+pFZvaugtebsU+bllPTB0nlXGIJk98Ie9ZtxuY3nCKneB+KjKiXrAvXUPCI9mWkYS/1rggpFmu3HbXBnWSUdf 
localuser@machine.local

The resulting public key must be added to a special file in the user's home directory on the remote host. On the server, as the root user, enter the following command to temporarily switch to the new user:

su - sammy

Create a new directory called .ssh and restrict its permissions with the following commands:

mkdir ~/.ssh
chmod 700 ~/.ssh

Now open a file in .ssh called authorized_keys with a text editor and insert the public key. The permissions of the authorized_keys file must then be restricted:

chmod 600 ~/.ssh/authorized_keys

Now your public key is installed, and you can use SSH keys to log in as your user.

Disabling password authentication

The next step is to disable password-only authentication. Doing so will restrict SSH access to the server to public key authentication only. That is, the only way to log in to your server (aside from the console) is to possess the private key that pairs with the public key that was installed.

As root or a sudo user, open the SSH daemon configuration:

sudo nano /etc/ssh/sshd_config

PasswordAuthentication no               # Must be uncommented
PubkeyAuthentication yes
ChallengeResponseAuthentication no

Type this to reload the SSH daemon:

sudo systemctl reload sshd

One should test the new configuration before logging out of the server by logging in via SSH using a new terminal on the local machine.