Secure Remote Linux Server Logins with SSH Key Authentication
You will most likely use a Secure Shell (SSH). to perform remote work with Linux servers or containers. Although the name of the software includes "secure," you shouldn't assume it is locked down by default. It's certainly more secure than telnet, but you still need to do extra to ensure your data and systems are safe.
Secure Shell is ready to use out of the box. It requires a username and a password.
You issue the command "ssh"
This is a much safer way to do it and one that's less likely to result in server hacking. This method is SSH-key authentication.
SSH key authentication uses an SSH pair generated locally. The key pair consists of a public and private key. The private key stays on your machine, while the public key goes to the remote server. Once the pair of keys are in place, every time you log in, they will do a handshake and verify that they match. You will be granted access to the server if these keys match. You're outta luck if the keys do not match.
This is a much more secure method than the traditional username/password setup and should be used on every Linux server.
I will show you how SSH key authentication can be made a reality. Let's get started!
What You Need
You'll need two Linux machines for this demonstration -- one local and one remote. This is done through the command line, so you do not need to configure a desktop. You'll also need to know the IP address of the remote machine and its domain.
How Can I Create an SSH Key Pair?
You will need to generate your SSH key pair first. This is done locally. Log in to the machine you want to create the key pair on and use the command:
The key pair will be asked for a password. You will be asked to enter and confirm the password. Use a unique/strong password.
The command above will create two files: id_rsa(the private key) & id_rsa.pub(the public key).
You Can Copy Your Key to the Remote Machine
Next, you will need to copy your public keys to the remote computer. SSH includes a built-in feature that makes this process easy. Run the following command to copy the key:
The SERVER address is the domain or IP address of the remote server. The remote user's SSH passphrase will be requested first. The public key is saved in the /.ssh on the remote server upon successful authentication.
Then, you can test SSH key verification by trying to log in again with the following:
The SERVER can be either the IP or domain address of the remote server. You'll now be asked for your SSH key password and not the user password.
SSH key Authentication is now working.
We can improve security further.
Configure the SSH Server to Heighten Security
Be sure to create key pairs before you proceed. Copy the public keys to the server and any client machines that need access to the remote servers. You'll have to take this step if you want the machines you need to log in with (even if they use valid user accounts). The only way around this would be to manually copy/paste the contents of the SSH public key from the client machine to the ~/.ssh/authorized_keys file on the server.
We're now going to make sure that public key authentication and password authentication are disabled on both the local server and the remote server.
Use the following command to edit the SSH daemon configuration (on the remote server).
sudo nano /etc/ssh/sshd_config
Look for the following line:
Replace that line with:
Then, find the following line:
Replace that line with:
Close the file and save it.
Start SSH by using the following command:
Open another terminal (on the machine where you copied the public keys to the server), and log in using SSH. You've now successfully made sure that the only way you can log in to SSH using key authentication is if you have access.
Anyone attempting to login to your Linux Server without the matching key pair is denied.
Have additional questions about securing remote Linux server logins with SSH key authentication? Connect with us on X @lnxsec - we're here to help!