Why is Key based SSH Secure
Why is password based authentication vulnerable?
A SSH server can authenticate clients using a variety of different methods. The most basic of these is password authentication, which is easy to use, but not the most secure.
Modern processing power combined with automated scripts make brute forcing a password-protected account very possible since passwords generally are not complex. SSH keys prove to be a reliable and secure alternative.
What are SSH Keys?
SSH key pairs are two cryptographically secure keys that can be used to authenticate a client to an SSH server. Each key pair consists of a public key and a private key.
The private key is retained by the client in his local machine and should be kept absolutely secret. Any compromise of the private key will allow the attacker to log into servers that are configured with the associated public key without additional authentication. As an additional precaution, the key can be encrypted on disk with a passphrase.
The public key is uploaded onto the remote server that you want to be able to log into with SSH. When a client attempts to authenticate using SSH keys, the server can test the client on whether they are in possession of the private key. If the client can prove that it owns the private key, a shell session is spawned or the requested command is executed.
Setup SSH Keys – Linux
Follow the below given steps to set up SSH keys:
Step 1 – Create the RSA Key Pair
Open the Terminal on your PC > Enter the following command in the terminal:
ssh-keygen -t rsa
Step 2 – Save the Keys and Passphrase
The above command will follow up with some confirmation messages
Enter file in which to save the key (/home/user/.ssh/id_rsa):
You can hit Enter, which will save the keys to the user home.
Enter passphrase (empty for no passphrase):
In this step, you will be asked for a passphrase for protecting your private key. We recommend you to add a passphrase since the whole point of setting up SSH is security. You will need to enter the passphrase every time you use the key pair.
If you do not want a passphrase associated with your private key, then simply hit enter leaving the passphrase field empty.
This will complete the key generation process:
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 user@a
The key's randomart image is:
+--[ RSA 2048]----+
| .oo. |
| . o.E |
| + . o |
| . = = . |
| = S = . |
| o + = + |
| . o + o . |
| . o |
| |
+-----------------+
In the above example:
The private key’s location: /home/user/.ssh/id_rsa
The public key’s location: /home/user/.ssh/id_rsa.pub
Step 3 – Copy the Public Key to your node
Now you can copy and add your public key id_rsa.pub file, to set up SSH on your node under MyAccount.
You can usually get this key by copying the results of:
cat ~/.ssh/id_rsa.pub
Paste the results generated from id_rsa.pub to the SSH section under MyAccount.
You may add multiple SSH keys & can provide a label to each SSH key for easy identification & management purpose.
Enable/Disable password-based authentication
This article will provide you with the steps to enable/disable password-based authentication while logging in to your server through SSH encryption keys. A password authentication against SSH isn’t bad but creating a long and complicated password may also encourage you to store it an unsecured manner. Using encryption keys to authenticate SSH connection is a more secure alternative.
Enable Password Authentication
Before enabling password-based authentication, make sure that you already have the password. If you want to change it before enabling password-based authentication, log in as root user and then run the following command in the terminal
passwd
You will be prompted to enter the new password. Enter your new password and finish the setup process.
After logging into your server as root user, open the sshd_config file in editing mode. You can do this by running the following command in the terminal. We will use vim editor for this article. Press I to edit the file
vim /etc/ssh/sshd_config
Look for the line PasswordAuthentication no and replace no with yes.
PasswordAuthentication yes
Press ESC key and save the changes to the file and exit the editor by typing:** wq!** and then hit Enter.
Now restart the server by running the following command.
service sshd restart
Password authentication is now enabled for SSH access to your server.
Disable Password Authentication
This step will explain you with the steps of disabling a password-based authentication while logging in to your server through SSH. Before disabling password-based authentication, please make sure that you have copied your public key into the server and your private key matches with the public key. If you lose your private key and disable password authentication then your server will become inaccessible.
From your server open the sshd_config file in editing mode. You can do this by running the following command in the terminal. We will use vim editor for this article. Press I to edit the file
vim /etc/ssh/sshd_config
Look for the line PasswordAuthentication yes and replace yes with no.
PasswordAuthentication no
Press ESC key and save the changes to the file and exit the editor by typing: wq! and then hit Enter.
Now restart the server by running the following command.
service sshd restart
Password authentication is now removed from SSH access to your server.