Password-based SSH authentication is the commonest entry level for brute-force assaults on Linux servers. SSH key authentication replaces the password with a cryptographic key pair: a non-public key that by no means leaves your native machine, and a public key that lives on the server. This information walks by the entire setup, from key technology to…
How SSH Key Authentication Works
If you join with key authentication, the server checks whether or not the general public key in its authorized_keys file matches the non-public key in your native machine, utilizing a cryptographic problem. No password is transmitted over the community. In case your non-public key’s protected with a passphrase, you enter the passphrase domestically, and it by no means leaves your machine.
The sensible profit over passwords is twofold: key authentication is just not weak to brute-force assaults (there isn’t a password to guess), and it permits automation with out storing passwords in scripts or surroundings variables.
Stipulations
- A Linux VPS operating Ubuntu, AlmaLinux, or Debian with a root or sudo person
- SSH entry with password authentication (you’ll change to key auth by the top of this information)
- An area machine operating Linux, macOS, or Home windows with OpenSSH shopper put in (comes pre-installed on macOS and Home windows 10/11)
InMotion’s Cloud VPS plans embrace Ubuntu 22.04 LTS, AlmaLinux 9, and Debian 12 with root SSH entry from provisioning. Managed VPS plans additionally assist SSH entry.
Step 1: Generate the SSH Key Pair on Your Native Machine
Run the next in your native machine, not the server.
ssh-keygen -t ed25519 -C "your_identifier"The Ed25519 algorithm is the present really useful customary. When prompted for a file title, press Enter to make use of the default (~/.ssh/id_ed25519 on Linux/macOS, %USERPROFILE%.sshid_ed25519 on Home windows). Including a passphrase is strongly really useful for any key used to entry manufacturing infrastructure.
Two recordsdata are created: id_ed25519 (your non-public key, by no means share this) and id_ed25519.pub (your public key, this goes on the server).
In case your server or group requires RSA keys, generate a 4096-bit RSA key as a substitute:
ssh-keygen -t rsa -b 4096 -C "your_identifier"Step 2: Copy the Public Key to the Server
Choice A: Utilizing ssh-copy-id (Linux/macOS)
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@your-server-ipThis copies the general public key to ~/.ssh/authorized_keys on the server and units the right permissions robotically.
Choice B: Manually (Home windows or when ssh-copy-id is unavailable)
Show your public key:
cat ~/.ssh/id_ed25519.pubCopy your entire output. Then on the server:
mkdir -p ~/.sshnano ~/.ssh/authorized_keysPaste the general public key on a brand new line, save, and exit. Then set the right permissions:
chmod 700 ~/.sshchmod 600 ~/.ssh/authorized_keysPermission settings matter. If authorized_keys is world-readable, SSH will refuse to make use of it.
Step 3: Take a look at Key Authentication Earlier than Disabling Passwords
Open a brand new terminal window and join utilizing the important thing:
ssh -i ~/.ssh/id_ed25519 username@your-server-ipIf this succeeds with out prompting for a password (or after getting into your key passphrase if you happen to set one), key authentication is working. Don’t shut your current SSH session till you affirm this. Shedding each authentication strategies concurrently locks you out of the server.
Step 4: Harden sshd_config
As soon as key authentication is confirmed working, open the SSH daemon configuration file:
sudo nano /and so forth/ssh/sshd_configMake the next adjustments:
PasswordAuthentication no disables password login. Solely key-authenticated connections are permitted.
PermitRootLogin no (or prohibit-password) prevents direct root login. Use a normal person with sudo as a substitute.
PubkeyAuthentication sure confirms public key authentication is enabled (often already set to sure by default).
AuthorizedKeysFile .ssh/authorized_keys specifies the important thing file location (confirm this isn’t commented out).
Optionally, altering the default SSH port from 22 to a non-standard port (similar to 2222 or any port above 1024) reduces the quantity of automated scanning site visitors. That is safety by obscurity, not an alternative to correct authentication, however it considerably reduces log noise.
Save and shut the file.
Step 5: Restart the SSH Service
sudo systemctl restart sshdOn some distributions, the service title is ssh moderately than sshd:
sudo systemctl restart sshNecessary: take a look at connectivity from a brand new terminal session earlier than closing your current connection. On AlmaLinux and CentOS-based methods, SELinux could block non-standard SSH ports. In case you modified the port, enable it by the firewall:
sudo firewall-cmd --everlasting --add-port=2222/tcpsudo firewall-cmd --reloadOn Ubuntu utilizing UFW:
sudo ufw enable 2222/tcpsudo ufw delete enable 22/tcpStep 6: Add Your Key to SSH Agent for Comfort
In case you set a passphrase in your key (which it’s best to), getting into it on each connection turns into tedious. The SSH agent caches the decrypted key in reminiscence in the course of your session.
eval "$(ssh-agent -s)"ssh-add ~/.ssh/id_ed25519On macOS, add -Okay to retailer the passphrase in your keychain:
ssh-add --apple-use-keychain ~/.ssh/id_ed25519On Home windows, the OpenSSH Authentication Agent service could be configured to begin robotically through Providers or PowerShell.
Managing A number of Keys and Servers
A ~/.ssh/config file simplifies connecting to a number of servers with out specifying the important thing file and person on each command.
Host manufacturing-vps HostName 192.0.2.100 Person deploy IdentityFile ~/.ssh/id_ed25519 Port 2222Host staging-vps HostName 192.0.2.101 Person deploy IdentityFile ~/.ssh/id_ed25519_staging Port 22With this config in place, connecting to manufacturing is just:
ssh manufacturing-vpsAssociated: How one can Setup a VPS Server covers the complete VPS provisioning workflow together with preliminary SSH connection.
| InMotion’s Cloud VPS and Managed VPS plans assist SSH key authentication from provisioning. Root and sudo entry on Linux, no Home windows-only dependencies. Discover plans at inmotionhosting.com/cloud-vps. |
