How to configure ssh key-based authentication on Ubuntu 16.04

Many of us still use plain password authentication to log in to remote Linux server. We login using a user name and password combination. In some cases, this is not enough to protect our system from unwanted login brute force attack. Fortunately there is another way to secure our remote login activity, using ssh key pair between local and remote server called private and public keys. I am not going to talk much about keypair, you can read it here.

Lets get started. On this tutorial I am going to show you how to log in to a remote Linux server using ssh key pairs.

Step 1 . Create SSH Keys

ssh-keygen

Output:

root@mysql-bali:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):

The command above will create new keys and it ask where to save the key. You can leave it in the default location ~./ssh/. The private key will be called id_rsa and the public key will be id_rsa.pub.

You will be asked to enter passphrase. Or you can also leave it blank. In this example, I leave it blank because I want to be able to connect to remote server without having to type password.

root@mysql-bali:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:U/41vLZlzIUJytrt4nPhjSdu9lyPOrwxDhpeL/vAZZc root@mysql-bali
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|          . .    |
|         a . * + |
|        S o P E .|
|         + B B =.|
|        . B.O = *|
|       . +.O=B *.|
|        o .*B== .|
+----[SHA256]-----+
root@mysql-bali:~#

Now we can check the generated keys under .ssh directory

root@mysql-bali:~# cd ~/.ssh
root@mysql-bali:~/.ssh# ls
authorized_keys  id_rsa  id_rsa.pub  known_hosts

As you can see there are id_rsa, id_rsa.pub inside .ssh directory. At this point we now have private key (id_rsa) and also public key (id_rsa.pub)

Step 2. Copy public key to remote server

Now we can copy our public key to a remote server. In this case I will copy my public key to a CentOS server at 10.34.0.247.

The syntax is

ssh-copy-id user@remotehost

Example

root@mysql-bali:~/.ssh# ssh-copy-id root@10.34.0.247
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.34.0.247's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@10.34.0.247'"
and check to make sure that only the key(s) you wanted were added.

OK now try to connect to the remote computer using private-public key instead of using password.

ssh root@10.34.0.247

At this point we already configured a ssh key based authentication, even I can now login to my remote server without password. BUT, I still can log in using the usual way, user and password combination. This is not what I want. Hacker still can brute force attack my server because the password-based mechanism is still active. Now I will disable the password-based authentication.

Disable Password Authentication

Edit ssh_config file using text editor

sudo nano /etc/ssh/sshd_config

Find the following line and make sure you change it to “no”.

PasswordAuthentication no

Close and save it and then restart ssh service

sudo systemctl restart sshd

 

Be the first to comment

Leave a Reply