Secure Server Logon through the SSH Key

Secure Server Logon through the SSH Key

There are a few methods for how to log into a remote server. The most common one; however, not quite secure, is the traditional password-based one. However, a much more secure access method rests in SSH key-based authorization.

The SSH key represent an individual encrypted access mechanism featuring public and private keys. A private key must be present on the client’s side (your workstation), and a public key must be on the server you log into.

First of all, let us generate a key pair:

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/localuser/.ssh/id_rsa):

It is enough to confirm saving of your key pair in a standard location by pressing Enter.

Then enter your passphrase, i.e., your password that protects the given key against misuse. This password must always be entered when you use your key, or you may save it through the ssh-agent tool.

Now we need to transfer the public part of your key to the server:

$ scp /home/localuser/.ssh/id_rsa.pub uzivatel@server:/home/remoteuser/

Save the public key file contents among the authorized access keys:

$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ cat id_rsa.pub >> .ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys

To complete the process, it makes sense to prevent traditional password-based logon on the server. To do that, it is necessary to update the /etc/ssh/sshd_config file. Its value

PasswordAuthentication YES

must be changed to

PasswordAuthentication NO

As a result, the server will only allow authorized SSH key-based logons. However, it is necessary to restart the SSH server now:

$ service ssh restart (Ubuntu)
$ service sshd restart (CentOS 6)
$ systemctl restart sshd (CentOS 7)

If there are multiple server administrators, these users should be defined in the file /etc/sudoers:

$ adduser uzivatel sudo (Ubuntu)
$ adduser uzivatel wheel (Centos 6/Centos 7)

While logging on through your SSH keys, always protect your private key against unauthorized access. However, even if that happens, you may protect (optional) your key already during its generation through your passphrase. As a result, the user is as secure as possible thanks to the combination of password-based private key protection and secure remote server access through this key.

Author: Jirka Dvořák

Best articles

Cooling system with freecooling technology in the server room
dedicated server Dell in our portfolio
VPS and VDS with 50% reduction on the price