1,381
edits
Changes
no edit summary
On your local computer, generate a SSH key pair by typing:
<pre class="code-pre "><code>$bash>ssh-keygen</code><br>Generating public/private rsa key pair. Enter file in which to save the key (/home/<span class="highlight">username</span>/.ssh/id_rsa):</pre>
The utility will prompt you to select a location for the keys that will be generated. By default, the keys will be stored in the <code>~/.ssh</code> directory within your user's home directory. The private key will be called <code>id_rsa</code> and the associated public key will be called <code>id_rsa.pub</code>.
If you had previously generated an SSH key pair, you may see a prompt that looks like this:
<pre class="code-pre ">/home/<span class="highlight">username</span>/.ssh/id_rsa already exists.
Overwrite (y/n)?
</pre>
If you choose to overwrite the key on disk, you will '''not''' be able to authenticate using the previous key anymore. Be very careful when selecting yes, as this is a destructive process that cannot be reversed.
<pre class="code-pre ">Created directory '/home/<span class="highlight">username</span>/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
A passphrase is an optional addition. If you enter one, you will have to provide it every time you use this key (unless you are running SSH agent software that stores the decrypted key). We recommend using a passphrase, but if you do not want to set a passphrase, you can simply press ENTER to bypass this prompt.
<pre class="code-pre "><code>Your identification has been saved in /home/<span class="highlight">username</span>/.ssh/id_rsa.Your public key has been saved in /home/<span class="highlight">username</span>/.ssh/id_rsa.pub.
The key fingerprint is:
a9:49:2e:2a:5e:33:3e:a9:de:4e:77:11:58:b6:90:26 <span class="highlight">username</span>@remote_host
The key's randomart image is:
+--[ RSA 2048]----+
|o=++. |
+-----------------+
You now have a public and private key that you can use to authenticate. The next step is to place the public key on your server so that you can use SSH key authentication to log in.
The syntax is:
<pre class="code-pre "><code>ssh-copy-id <span class="highlight">username</span>@<span class="highlight">remote_host</span></code></pre>
You may see a message like this:
<pre class="code-pre "><code>The authenticity of host '111.111.11.111 (111.111.11.111)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
This just means that your local computer does not recognize the remote host. This will happen the first time you connect to a new host. Type "yes" and press ENTER to continue.
Next, the utility will scan your local account for the <code>id_rsa.pub</code> key that we created earlier. When it finds the key, it will prompt you for the password of the remote user's account:
<pre class="code-pre "><code>/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@111.111.11.111's password:
Type in the password (your typing will not be displayed for security purposes) and press ENTER. The utility will connect to the account on the remote host using the password you provided. It will then copy the contents of your <code>~/.ssh/id_rsa.pub</code> key into a file in the remote account's home <code>~/.ssh</code> directory called <code>authorized_keys</code>.
You will see output that looks like this:
<pre class="code-pre "><code>Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'username@111.111.11.111'"
and check to make sure that only the key(s) you wanted were added.
At this point, your <code>id_rsa.pub</code> key has been uploaded to the remote account. You can continue onto the next section.
The full command will look like this:
<pre class="code-pre "><code>cat ~/.ssh/id_rsa.pub | ssh <span class="highlight">username</span>@<span class="highlight">remote_host</span> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"</code></pre>
You may see a message like this:
<pre class="code-pre "><code>The authenticity of host '111.111.11.111 (111.111.11.111)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
This just means that your local computer does not recognize the remote host. This will happen the first time you connect to a new host. Type "yes" and press ENTER to continue.
Afterwards, you will be prompted with the password of the account you are attempting to connect to:
<pre class="code-pre "><code>username@111.111.11.111's password:</code></pre>
After entering your password, the content of your <code>id_rsa.pub</code> key will be copied to the end of the <code>authorized_keys</code> file of the remote user's account. Continue to the next section if this was successful.
The basic process is the same:
<pre class="code-pre "><code>ssh <span class="highlight">username</span>@<span class="highlight">remote_host</span></code></pre>
If this is your first time connecting to this host (if you used the last method above), you may see something like this:
<pre class="code-pre "><code>The authenticity of host '111.111.11.111 (111.111.11.111)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
This just means that your local computer does not recognize the remote host. Type "yes" and then press ENTER to continue.
If successful, continue on to find out how to lock down the server.
==Disabling Password Authentication on your Server==
Once the above conditions are true, log into your remote server with SSH keys, either as root or with an account with <code>sudo</code> privileges. Open the SSH daemon's configuration file:
Inside the file, search for a directive called <code>PasswordAuthentication</code>. This may be commented out. Uncomment the line and set the value to "no". This will disable your ability to log in through SSH using account passwords:
Save and close the file when you are finished. To actually implement the changes we just made, you must restart the service.
On Ubuntu or Debian machines, you can issue this command:
On CentOS/Fedora machines, the daemon is called <code>sshd</code>:
After completing this step, you've successfully transitioned your SSH daemon to only respond to SSH keys.
[https://www.digitalocean.com/community/tutorials/ssh-essentials-working-with-ssh-servers-clients-and-keys More Information]
[[Category:SSH]]