Many of us still use plain password authentication to log in to remote Linux server. We login using a user name and password combination. In some cases, this is not enough to protect our system from unwanted login brute force attack. Fortunately there is another way to secure our remote login activity, using ssh key pair between local and remote server called private and public keys. I am not going to talk much about keypair, you can read it here.
Lets get started. On this tutorial I am going to show you how to log in to a remote Linux server using ssh key pairs.
Step 1 . Create SSH Keys
root@mysql-bali:~# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa):
The command above will create new keys and it ask where to save the key. You can leave it in the default location ~./ssh/. The private key will be called id_rsa and the public key will be id_rsa.pub.
You will be asked to enter passphrase. Or you can also leave it blank. In this example, I leave it blank because I want to be able to connect to remote server without having to type password.
root@mysql-bali:~# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:U/41vLZlzIUJytrt4nPhjSdu9lyPOrwxDhpeL/vAZZc root@mysql-bali The key's randomart image is: +---[RSA 2048]----+ | | | | | . . | | a . * + | | S o P E .| | + B B =.| | . B.O = *| | . +.O=B *.| | o .*B== .| +----[SHA256]-----+ root@mysql-bali:~#
Now we can check the generated keys under .ssh directory
root@mysql-bali:~# cd ~/.ssh root@mysql-bali:~/.ssh# ls authorized_keys id_rsa id_rsa.pub known_hosts
As you can see there are id_rsa, id_rsa.pub inside .ssh directory. At this point we now have private key (id_rsa) and also public key (id_rsa.pub)
Step 2. Copy public key to remote server
Now we can copy our public key to a remote server. In this case I will copy my public key to a CentOS server at 10.34.0.247.
The syntax is
root@mysql-bali:~/.ssh# ssh-copy-id firstname.lastname@example.org /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys email@example.com's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'firstname.lastname@example.org'" and check to make sure that only the key(s) you wanted were added.
OK now try to connect to the remote computer using private-public key instead of using password.
At this point we already configured a ssh key based authentication, even I can now login to my remote server without password. BUT, I still can log in using the usual way, user and password combination. This is not what I want. Hacker still can brute force attack my server because the password-based mechanism is still active. Now I will disable the password-based authentication.
Disable Password Authentication
Edit ssh_config file using text editor
sudo nano /etc/ssh/sshd_config
Find the following line and make sure you change it to “no”.
Close and save it and then restart ssh service
sudo systemctl restart sshd