################################# How To Set up SSH Keys on a Linux ################################# ****************** What are SSH Keys? ****************** SSH key pairs are two cryptographically secure keys that can be used to authenticate a client to an SSH server. Each key pair consists of a public key and a private key. The private key is retained by the client in his local machine and should be kept absolutely secret. Any compromise of the private key will allow the attacker to log into servers that are configured with the associated public key without additional authentication. As an additional precaution, the key can be encrypted on disk with a passphrase. The public key is uploaded onto the remote server that you want to be able to log into with SSH. When a client attempts to authenticate using SSH keys, the server can test the client on whether they are in possession of the private key. If the client can prove that it owns the private key, a shell session is spawned or the requested command is executed. ******************** Create SSH Keys Pair ******************** The first step involves creating a set of RSA keys for use in authentication. This should be done on the client side. To create your public and private SSH keys on the command-line: :: # mkdir ~/.ssh # chmod 700 ~/.ssh # ssh-keygen -t rsa .. Note :: This command will overwrite an existing RSA key pair, potentially locking you out of other systems. If you’ve already created a key pair, skip this step. To check for existing keys, run **ls ~/.ssh/id_rsa*** . *************************************** Copy Your SSH Public Key to Your Server *************************************** If your are using Linux or Mac, you can use below-mentioned command to copy and install your ssh-key on the Server :: # cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" ***************************************** Copy and install Your Public Key Manually ***************************************** You can also manually add an SSH key to a server: Begin by copying the contents of your public SSH key on your local computer. You can use the following command to output the contents of the file: :: # cat ~/.ssh/id_rsa.pub .. Note :: that the public key begins with ssh-rsa and ends with your_username@hostname. Once you have copied that **id_rsa.pub** text, first login your Server via SSH/Putty and Create the **~/.ssh** directory and **authorized_keys** file if they don’t already exist: :: # mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys Give the **~/.ssh** directory and **authorized_keys** files appropriate file permissions: :: # chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys After that your have to edit or open **~/.ssh/authorized_keys** file with the help of vi/vim/nano editor and paste paste the contents of your public key that you copied in this file and save it. `Verify that you can log in `_ through your private key. ################################################ Why is password based authentication vulnerable? ################################################ A SSH server can authenticate clients using a variety of different methods. The most basic of these is password authentication, which is easy to use, but not the most secure. Modern processing power combined with automated scripts make brute forcing a password-protected account very possible since passwords generally are not complex. SSH keys prove to be a reliable and secure alternative. ******************************************** Enable/Disable password-based authentication ******************************************** This article will provide you with the steps to enable/disable password-based authentication while logging in to your server through SSH encryption keys. A password authentication against SSH isn’t bad but creating a long and complicated password may also encourage you to store it an unsecured manner. Using encryption keys to authenticate SSH connection is a more secure alternative. ******************************* Disable Password authentication ******************************* This step will explain you with the steps of disabling a password-based authentication while logging in to your server through SSH. Before disabling password-based authentication, please make sure that you have copied your public key into the server and your private key matches with the public key. If you lose your private key and disable password authentication then your server will become inaccessible. From your server open the sshd_config file in editing mode. You can do this by running the following command in the terminal. We will use vim editor for this article. Press I to edit the file :: # vim /etc/ssh/sshd_config Look for the line **PasswordAuthentication** yes and replace yes with no. :: PasswordAuthentication no Press **ESC** key and save the changes to the file and exit the editor by typing: wq! and then hit Enter. Now restart the server by running the following command. :: # service sshd restart Password authentication is now removed from SSH access to your server. ****************************** Enable Password Authentication ****************************** Before enabling password-based authentication, make sure that you already have the password. If you want to change it before enabling password-based authentication, log in as root user and then run the following command in the terminal :: passwd You will be prompted to enter the new password. Enter your new password and finish the setup process. After logging into your server as root user, open the **sshd_config** file in editing mode. You can do this by running the following command in the terminal. We will use vim editor for this article. Press I to edit the file :: # vim /etc/ssh/sshd_config Look for the line **PasswordAuthentication** no and replace no with yes. :: PasswordAuthentication yes Press **ESC** key and save the changes to the file and exit the editor by typing: **wq!** and then hit Enter. Now restart the server by running the following command. :: # service sshd restart Password authentication is now enabled for SSH access to your server. ***************************** Changing the Default SSH Port ***************************** Open the SSH configuration file sshd_config with the favorite text editor: :: /etc/ssh/sshd_config Search for the entry **Port 22**. Replace port 22 with a port between **1024** and **65536**. .. note:: Make sure that the selected port is not used for other services. You can do this by using the following port list provided by the Internet Assigned Numbers Authority (IANA): https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml Alternatively, you can view the list of ports in the **/etc/services** file. Save the file and Restart the service. **Ubuntu** :: service ssh restart **CentOS 7** :: systemctl restart sshd .. important:: **Please open the needed port in** `iptables `_ **and check if its listening over** `telnet `_. To establish an SSH connection after this change, enter the following command: :: ssh root@IP_of_the_server -p NewPort