Site logo image
[Home Page]
[Blog]
[Contact]
[About]

[Guides]
[News]
[Reviews]
[RSS Feeds]

[IRC Server]
[Links]

Return to SSH guides

Print Page mail icon

SSH Key based authentication



  Traditionally we would use passwords for authenticating a client to an SSH server. SSH key based authentication achieves the same effect, but utilizes a cryptographically secure key pair consisting of a public key and a private key that is far more complex than any password. For on-premise devices such as desktop workstations and file servers, password based SSH authentication may be acceptable, but for public internet facing servers you should certainly use key based authentication or alternatively a site-to-site VPN (Virtual Private Network) paired with multi-factor authentication.

Some VPS providers (Virtual Private Server) such as DigitalOcean may have already walked you through this process when initially creating the virtual environment. If this was the case, then it was likely configured for the root user login which is a bad security stance if you intend to keep it around. We will address this later in the "Hardening SSH configuration"[1] guide, in the meantime let's setup our key pair.

From your host desktop / laptop computer (not to be confused with the server you will be configuring for SSH), create an RSA key pair. Save the key pair wherever you want, but don't lose it!

ssh-keygen

You will be prompted to set a passphrase; don't skip this, do it, and make it complex.

Output:
Enter passphrase (empty for no passphrase):

Once the public and private key pair are generated, you should consider storing them somewhere safe. You can locate the keypair on your filesystem in "~/.ssh/".

/home/$USER/.ssh/id_rsa
/home/$USER/.ssh/id_rsa.pub

Now let's go ahead and remote into our server. The following command assumes that you already have a running SSH service on your server. If you do not yet have a running SSH service, then use whatever means that is currently available to you for accessing your server.

ssh userid@server-ip-address

Note
I recommend that you set your servers root user password now if you haven't already. Keep this stored somewhere safe because you will be needing it later.
You can set the root user password with the passwd command as seen in the following example output.
passwd
Changing password for root.
(current) UNIX password: ************
Enter new UNIX password: ***************
Retype new UNIX password: ***************
passwd: password updated successfully

Create a user group to be reserved for SSH users and a user account to be dedicated for SSH access requests. The user account should have a home directory on the file system and will be applied to our SSH user group.

You can apply other users to the SSH group in the future if necessary. For each user that requires SSH access, you'll have to repeat this routine, beginning with generating a key pair.

Note
It is best practice to use separate SSH keys for each user. If you intend to allow other users SSH access to your system, then they should each have their own public and private key pair.

groupadd ssh_users
useradd -m sid
passwd sid
usermod -aG ssh_users sid

Switch to the new user account and create an SSH config folder in his home directory.

su sid
mkdir -p ~/.ssh

Now let's copy the contents of our public key "id_rsa.pub" from our host into an "authorized_keys" file on our server within the ~/.ssh/ directory we created. You can use a text editor such as VIM to open authorized_keys as a new file, then copy the contents of the public key from your host and paste it into the VIM editor.

vi ~/.ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx4w== sid@PC1

Set the following file permissions recursively on the ~/.ssh/ directory. Only the owner should be allowed to read the contents of the ~/.ssh/ directory.

chmod -R go= ~/.ssh

Exit from the user's session to switch back to our root user. We want to make our user's "~/.ssh/" directory immutable to prevent anyone from ever possibly modifying or removing it. This may seem an unpractical step, but if you have multiple users with SSH access to your server, it would be a wise precaution or else one of them could modify their authorized_keys file to allow for multiple different keys or accidentally remove their SSH configuration directory.

If your SSH users have access to the root account credentials or sudo privileges, then this may be a pointless endevour.

exit
chattr -R +i /home/sid/.ssh

Now that your SSH key is configured, you should disable password authentication for SSH.

vi /etc/ssh/sshd_config

PasswordAuthentication no

Reload the SSH daemon.

systemctl restart sshd

Keep your current console with the active SSH session open. Open a second console and verify that key based authentication is now working.

ssh user@server-ip-address

If you configured a passphrase for your key pair, then you should see the following similar output.

Enter passphrase for key '/home/user/.ssh/keys/id_rsa':


Notes

If you need to modify an immutable file, you will have to unset the chattr attribute first.

chattr -i /path/to/file


References

1. http://emhmki.org/guides/ssh/guide_ssh_config_hardening.html

[Return to top]

Last modified date: 2021-01-16

nationality icon

Copyright © 2020-2021 emhmki.org All Rights Reserved.