Debian/Ubuntu Tips & Tricks
Debuntu.org: .deb packages, Unix/Linux Tutorials and Articles.
Navigation
sponsors
Books
User login
Coding.Debuntu.Org
Poll
Syndicate
Search
Tips
Secure your SSH server with Public/Private key authentification -- page 3
4. Disabling Authentication by password
In order to disable authentication by password, we need to connect as root on the remote machine. On connected, go and edit /etc/ssh/sshd_config and make sure you have the following setting:
....
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
...
and reload SSH configuration file:
# /etc/init.d/ssh reload
Now, open a new shell and connect the remote host using your private key:
user@host:~$ ssh remoteuser@remotehost
remoteuser@remotehost:~$
and check that you can't connect without a key anymore:
$ cd ~/.ssh
$ mv id_rsa id_rsa.bck
$ ssh remoteuser@remotehost
Permission denied (publickey).
$ mv id_rsa.bck id_rsa
If you get rejected with Permission denied (publickey). it means it is all good and your ssh server is protected against brute-force attacks.
5. Conclusion
By authenticating yourself using a public/private key pair and by disabling authentication by password you will considerably reduce the chance an attacker gain access to your remote machine.
It is wise to provide a passphrase when creating your key pair, this way, even if somebody get a copy of your private key, you will reduce the risk of having him gaining access to your remote machine.
- Printer-friendly version
- Login or register to post comments
Submitted by chantra on Thu, 2007-01-11 20:01.
Exellent Article ! Bad Openssh error message !
Thx for the really good article.
It's finally pretty easy to setup a secure SSH system.
Well after setting it up without problem on one computer I still lost like 2h with another one...
keept getting "Permission denied (publickey)" although I need everything correctly ! Openssl appenrently also trow this error message when the permission on certain file are not good enough for it.
So if you have the same problem here is what I need (thx to ubuntuforum)
chmod go-w ~/
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
Hope it can help some linux newbie that messed up their permission ! (like me lol)
ssh-agent
If you want to login without a password, but you do want to protect your keys with a passphrase, please check out ssh-agent:
If you put
ssh-add in some startup script each morning, ssh-agent will remember your passphrase for the rest of the day.I recon this is the best combination of security and usability.