top of page
Search

SSH is Key

  • Sep 14
  • 4 min read

How to secure SSH with Key Authentication

ree
ree

SSH is a vital tool for administering open source cloud based systems. Whether these systems are Virtual Private Servers (VPS) running on cloud infrastructure, or Linux servers running on premises, or even IoT devices they all typically use password-based authentication by default to login into them.


Relying on passwords alone especially in production environments poses significant security risks due to vulnerabilities from brute-force attacks and credential leaks.


This guide offers real world best practices on how to better secure SSH with key-based authentication, a method that greatly enhances security, supports automation, and reduces the risk of compromise.


The occupying video provides detailed explanations of commands used.


  • We will be using a SSH client computer with hostname "Ubuntu22Desktop".

  • The username on the SSH client computer is "sosuser"

  • The SSH remote server will have a hostname of "openharden01".


Firstly make sure OpenSSH server software is installed on the SSH remote server.

$ hostname
openharden01

$ sudo apt update && install -y openssh-server


After confirming SSH is installed on the server, go to the SSH client computer to create a new SSH key.


$ hostname
Ubuntu22Desktop

$ cd /home/sosuser

$ ssh-keygen -t ed25519 -C "Ubuntu22Desktop"

  • Real world best practice:

  • ed25519 is the strongest form of the SSH key, -C adds an optional description that is placed inside of the public key for better key management.

  • Rename the key to something similar to the host name of the SSH server so that you can

    more easily recognize the key, enter a passphrase to protect the private key.

  • Two keys are created, "openharden01_id_ed25519" is the private key, "openharden01_id_ed25519.pub" is the public key. 

Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/sosuser/.ssh/id_ed25519): /home/sosuser/.ssh/openharden01_id_ed25519

Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 

Your identification has been saved in /home/sosuser/.ssh/openharden01_id_ed25519          
Your public key has been saved in    /home/sosuser/.ssh/openharden01_id_ed25519.pub 
The key fingerprint is:
SHA256:2d7VmXKeugxTIFvLS8aiYK3b43f1DSX4T6NHKlZk49g openharden01
The key's randomart image is:
+--[ED25519 256]--+
|                 |
|                 |
|         . o .   |
|      .  o* ++..+|
|     o .So.**+o*.|
|    . o ..+ooE*oo|
|     . .  .++ =*o|
|      o. . ++o.oo|
|     ..oo o .+o  |
+----[SHA256]-----+

$ cat openharden01_id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeRcnzlL4Ji68... Ubuntu22Desktop

Next you will need to copy the contents of the public key to the SSH server

$ cd /home/sosuser/.ssh

$ ls -al
drwx------ 2 sosuser sosuser 4096 Jun 19 15:22 . 
-rw------- 1 sosuser sosuser  464 Jun 19 15:22 openharden01_id_ed25519
-rw-r--r-- 1 sosuser sosuser   97 Jun 19 15:22 openharden01_id_ed25519.pub

$ cat openharden01_id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeRcnzlL4Ji68... Ubuntu22Desktop

  • Copy the contents of the public key "openharden01_id_ed25519.pub" to a file or to your clipboard

  • Then ssh into the SSH server using SSH Password Authentication

$ ssh sosuser@192.168.6.199
sosuser@192.168.6.199's password:

  • On the SSH server use nano to edit the file "/home/sosuser/.ssh/authorized_keys", you may need to create the file if it is not already created.

  • Add the contents of the public key by pasting the contents of the file "opensharden01_id_ed25519.pub" into the file "authorized_keys"

  • If there are already entries the file "authorized_keys" append the file by adding the new contents to the top of the file. Verify the permissions of the .ssh directory and the file "authorized_keys"


$ hostname
openharden01

$ sudo mkdir -p /home/sosuser/.ssh
$ nano /home/sosuser/.ssh/authorized_keys

$ sudo chmod 700 /home/sosuser03/.ssh
$ sudo chmod 600 /home/sosuser03/.ssh/authorized_keys

After pasting the public key contents into "authorized_keys", go back to the SSH client computer and test being able to ssh to the SSH server while specifying the key.





$ hostname
Ubuntu22Desktop
$ pwd
/home/sosuser
$ cd .ssh
$ ssh -i openhard01_id_ed25519  sosuser@192.168.6.199
sosuser@192.168.6.199's password:

Now its time to disable Password Authentication on the SSH Server and enable Public Key Authentication. - On a SSH server running Ubuntu 24.04 you will have to edit the following two files to make sure the following values are set: - /etc/ssh/sshd_config PubkeyAuthentication yes PasswordAuthentication no PermitRootLogin prohit-password - /etc/ssh/sshd_config.d/50-cloud-init.conf PasswordAuthentication no - After changing these two files you will have to restart the SSH service to apply the changes.

$ hostname
openharden01

$ sudo nano  /etc/ssh/sshd_config
$ sudo nano /etc/ssh/sshd_config.d/50-cloud-init.conf

$ sudo systemctl restart ssh

Finally test that SSH Password Authentication is disabled and that you can successfully ssh by specifying a SSH key - On the SSH client attempt to ssh to the SSH server using SSH Password Authentication . This should fail with the error "Permission denied (publickey) " . After this fails attempt to ssh by specifying the SSH private key, enter the passphrase. - Note that the passphrase is not a password being used to log into SSH it is a password assigned to the private key that is needed when ever the key is used. If you share the private key the receiver must enter the passphrase to use the key.

$ hostname 
Ubuntu22Desktop

$ ssh sosuser@192.168.6.199
sosuser@192.168.6.199: Permission denied (publickey)

$ ssh sosuser -i openharden01_id_ed25519 sosuser@192.168.6.199
Enter passphrase for key 'openharden01_id_ed25519':
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-60-generic x86_64)
sosuser@sosharden01:~$

Conclusion & Important Extras

Enabling SSH key authentication with a passphrase adds an extra layer of security by introducing two factors: something the user knows (the passphrase) and something they have (the private key). When automation is needed, the passphrase can be omitted while still maintaining strong security and resistance to brute-force attacks.

How to remove or change a passphrase associated with a private SSH key.

$ hostname
Ubuntu22Desktop

$ ssh-keygen -p -f  /home/sosuser/.ssh/openharden01_id_ed25519
Enter old passphrase:
Key has comment 'Ubuntu22Desktop'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again: (leave empty again for no passphrase)

How to create a config file in .ssh so that you don't have to specify a key each time you use SSH key authentication.

$ hostname
Ubuntu22Desktop

$ nano  /home/sosuser/.ssh/config

Host 192.168.6.199
User sosuser
IdentityFile /home/sosuser/.ssh/openharden01_id_ed25519



 
 
  • Grey Twitter Icon
  • Grey LinkedIn Icon
  • Grey Facebook Icon

© 2035 by Talking Business. Powered and secured by Wix

bottom of page