The tool Secure Shell (SSH) is the standard for accessing remote Linux machines. SSH replaced telnet a long time ago, to add a much-needed layer of security for remote connections.
This does not mean that the default SSH configuration is the best option for those who are concerned about the security of their systems. By default, SSH works with traditional user and password logins. And even though these connections are much more secure than telnet, you still need to type and send a password over the internet.
If someone intercepted this password, they could access your machines (if they also know your username).
There is a better solution. This is SSH key authentication. With key authentication, you bypass username and password authentication and replace it with a pair of keys. Why is it useful? The main reason is that it adds extra security since the only way to access these servers (when configured correctly) is to have the corresponding key pair.
Here’s how it works:
-
- You generate an SSH key.
-
- You upload the public key to a remote server.
-
- You configure SSH to only allow key authentication.
-
- You connect from a machine that contains the private key corresponding to the public key on the server.
Once configured correctly, remote access to the server will only be allowed if you have the correct private key. Without this key, you cannot access the server. As long as you keep this private key, you’re fine.
But how to configure this?
Prerequisites
To configure SSH key authentication, you will need at least two Linux machines. One you connect to and one you connect from. I will demonstrate with Pop!_OS as the test machine and Ubuntu Server as the remote machine. It should work the same on almost all Linux distributions.
You will also need a user with sudo privileges. You also need to make sure you have the same username on both machines, local and remote.
Once that’s done, let’s get down to business.
How to configure SSH key authentication in Linux for more secure connections?
1. Open the terminal window
On your operating system, open a terminal window.
2. Generate your SSH key pair
In the terminal window, generate your SSH key pair using the command:
You will first be asked where you want to save the key. I suggest saving it to the default location, so just hit enter when prompted. You will then be asked to enter and verify a password for the key pair. Make sure this password is unique and strong.
3. Copy your new public key to the remote server
This is where things get a little complicated. You need to send the public key to the remote server. To do this, you need to know the IP address of the server. You can get the server’s IP address by connecting to it and running the command ip has. Armed with this information, return to your test machine and send the public key to the server with the command:
Where “SERVER” is the IP address of the remote server.
You will be prompted to enter the password on the remote server. Once you have successfully authenticated, the public key will be copied and SSH key authentication is ready. When you attempt to connect to the remote server, you will now be prompted for your SSH key password instead of the user password.
How to configure remote server for SSH key authentication?
Now that you have copied your key, connect to the remote machine. What we are going to do now is configure the SSH server to only allow connections via SSH keys.
One thing to keep in mind though is that once this option is configured, only people with SSH key authentication configured on the machine will be allowed to access it. For this reason, you must ensure that you have copied the SSH keys of all the computers you wish to use to connect to the remote server.
That being said, open the SSH configuration file on the remote server with the command:
-
sudo nano /etc/ssh/sshdconfig
In this file, find the line:
-
PasswordAuthentication yes
Change this line to:
-
PasswordAuthentication no
Save and close the file. Restart SSH with:
-
sudo systemctl restart sshd
Now the only way to remotely connect to this machine is to authenticate via the SSH key. Any machine that does not have a matching key pair will be denied access.
Source: “ZDNet.com”