Secure your SSH server with Public/Private key authentification

2 minute read

Open SSH is the most widely used SSH server on Linux. Using SSH, one can connect to a remote host and gain a shell access on it in a secure manner as all traffic is encrypted.

A neat feature of open SSH is to authenticate a user using a public/private key pair to log into the remote host. By doing so, you won’t be prompted for the remote user’s password.

This tutorial will describe how to create a SSH public/private key pair, how to enable key based authentication and finally how to disable password authentication.

Even though SSH is secured, there is tons of brute force attacks against SSH server which will attempt to gain access to your machine.

By using key based authentication and by disabling the standard user/password authentication, you will reduce the risk of having someone gaining access to your machine.

This tutorial suppose that you already have your remote machine running a SSH server. If not, make sure your remote host has openssh server.

On Debian Stable, you need to install:

apt-get install ssh

which will result in having both SSH server and SSH client installed.

On Ubuntu and Debian Unstable the client and server packages are separate. Therefore, you will at least need:

sudo apt-get install openssh-server

On the server and:

sudo apt-get install openssh-client

On the machines connecting to the server (i.e the clients)

Now let’s generate the key pairs.

1. Generating a SSH key public/private key pair

Before we can even authenticate to the remote machine using key based authentication, we need to create a public/private key pair. To do so, simply trigger:

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX user@host

Mind that if you leave the passphrase empty, anybody getting you private key (/home/user/.ssh/id_rsa) will be able to connect to your remote host.

I would recommend that you enter a passphrase, this passphrase will be use to “unlock” the key, mind that this passphrase is not related to the remote user password.

You can define another filename to save your keys to. This become handy when you have a different set of key pairs to different hosts

By now, you should have id_rsa and id_rsa.pub in ~/.ssh directory.

id_rsa is the so called private key. id_rsa.pub is the public key, the one you are going to upload on your server in order to be able to gain access to the remote machine using key authetication.

Do not share your private key, this key has to be your own, nobody but you will need to use it. The need of a passphrase will save you a lot of trouble in case you lost it.

Now that we have our public/private key pair ready, we need to upload it to the remote machine and enable access with it.