Password-based SSH authentication is the most typical entry level for brute-force assaults on Linux servers. SSH key authentication replaces the password with a cryptographic key pair: a personal key that by no means leaves your native machine, and a public key that lives on the server. This information walks by means of the whole setup, from key technology to…
How SSH Key Authentication Works
While you join with key authentication, the server checks whether or not the general public key in its authorized_keys file matches the personal key in your native machine, utilizing a cryptographic problem. No password is transmitted over the community. In case your personal secret’s protected with a passphrase, you enter the passphrase regionally, and it by no means leaves your machine.
The sensible profit over passwords is twofold: key authentication just isn’t weak to brute-force assaults (there isn’t any password to guess), and it permits automation with out storing passwords in scripts or setting variables.
Stipulations
- A Linux VPS operating Ubuntu, AlmaLinux, or Debian with a root or sudo person
- SSH entry with password authentication (you’ll change to key auth by the top of this information)
- A neighborhood machine operating Linux, macOS, or Home windows with OpenSSH shopper put in (comes pre-installed on macOS and Home windows 10/11)
InMotion’s Cloud VPS plans embody Ubuntu 22.04 LTS, AlmaLinux 9, and Debian 12 with root SSH entry from provisioning. Managed VPS plans additionally help SSH entry.
Step 1: Generate the SSH Key Pair on Your Native Machine
Run the next in your native machine, not the server.
ssh-keygen -t ed25519 -C "your_identifier"The Ed25519 algorithm is the present advisable customary. When prompted for a file title, press Enter to make use of the default (~/.ssh/id_ed25519 on Linux/macOS, %USERPROFILE%.sshid_ed25519 on Home windows). Including a passphrase is strongly advisable for any key used to entry manufacturing infrastructure.
Two recordsdata are created: id_ed25519 (your personal key, by no means share this) and id_ed25519.pub (your public key, this goes on the server).
In case your server or group requires RSA keys, generate a 4096-bit RSA key as a substitute:
ssh-keygen -t rsa -b 4096 -C "your_identifier"Step 2: Copy the Public Key to the Server
Possibility A: Utilizing ssh-copy-id (Linux/macOS)
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@your-server-ipThis copies the general public key to ~/.ssh/authorized_keys on the server and units the right permissions routinely.
Possibility B: Manually (Home windows or when ssh-copy-id is unavailable)
Show your public key:
cat ~/.ssh/id_ed25519.pubCopy all the output. Then on the server:
mkdir -p ~/.sshnano ~/.ssh/authorized_keysPaste the general public key on a brand new line, save, and exit. Then set the right permissions:
chmod 700 ~/.sshchmod 600 ~/.ssh/authorized_keysPermission settings matter. If authorized_keys is world-readable, SSH will refuse to make use of it.
Step 3: Take a look at Key Authentication Earlier than Disabling Passwords
Open a brand new terminal window and join utilizing the important thing:
ssh -i ~/.ssh/id_ed25519 username@your-server-ipIf this succeeds with out prompting for a password (or after coming into your key passphrase should you set one), key authentication is working. Don’t shut your present SSH session till you affirm this. Shedding each authentication strategies concurrently locks you out of the server.
Step 4: Harden sshd_config
As soon as key authentication is confirmed working, open the SSH daemon configuration file:
sudo nano /and so on/ssh/sshd_configMake the next adjustments:
PasswordAuthentication no disables password login. Solely key-authenticated connections are permitted.
PermitRootLogin no (or prohibit-password) prevents direct root login. Use an ordinary person with sudo as a substitute.
PubkeyAuthentication sure confirms public key authentication is enabled (often already set to sure by default).
AuthorizedKeysFile .ssh/authorized_keys specifies the important thing file location (confirm this isn’t commented out).
Optionally, altering the default SSH port from 22 to a non-standard port (reminiscent of 2222 or any port above 1024) reduces the quantity of automated scanning visitors. That is safety by means of obscurity, not an alternative to correct authentication, nevertheless it considerably reduces log noise.
Save and shut the file.
Step 5: Restart the SSH Service
sudo systemctl restart sshdOn some distributions, the service title is ssh moderately than sshd:
sudo systemctl restart sshEssential: check connectivity from a brand new terminal session earlier than closing your present connection. On AlmaLinux and CentOS-based programs, SELinux might block non-standard SSH ports. For those who modified the port, enable it by means of the firewall:
sudo firewall-cmd --everlasting --add-port=2222/tcpsudo firewall-cmd --reloadOn Ubuntu utilizing UFW:
sudo ufw enable 2222/tcpsudo ufw delete enable 22/tcpStep 6: Add Your Key to SSH Agent for Comfort
For those who set a passphrase in your key (which you need to), coming into it on each connection turns into tedious. The SSH agent caches the decrypted key in reminiscence at some point of your session.
eval "$(ssh-agent -s)"ssh-add ~/.ssh/id_ed25519On macOS, add -Ok to retailer the passphrase in your keychain:
ssh-add --apple-use-keychain ~/.ssh/id_ed25519On Home windows, the OpenSSH Authentication Agent service will be configured to start out routinely by way of Companies or PowerShell.
Managing A number of Keys and Servers
A ~/.ssh/config file simplifies connecting to a number of servers with out specifying the important thing file and person on each command.
Host manufacturing-vps HostName 192.0.2.100 Person deploy IdentityFile ~/.ssh/id_ed25519 Port 2222Host staging-vps HostName 192.0.2.101 Person deploy IdentityFile ~/.ssh/id_ed25519_staging Port 22With this config in place, connecting to manufacturing is just:
ssh manufacturing-vpsAssociated: Tips on how to Setup a VPS Server covers the total VPS provisioning workflow together with preliminary SSH connection.
| InMotion’s Cloud VPS and Managed VPS plans help SSH key authentication from provisioning. Root and sudo entry on Linux, no Home windows-only dependencies. Discover plans at inmotionhosting.com/cloud-vps. |
