Introduction
SSH offers two methods of authentication: password and key pair authentication.
Password Authentication: While simple passwords are easily remembered, they are also easily compromised through brute force attacks. On the other hand, complex passwords, though safer, are challenging to remember.
Key Pair Authentication: This method involves a combination of a public key and a private key. The public key is placed on the device that one wishes to access, while the private key is stored on the user’s local machine. Only the holder of the private key can access the device, making this method secure and convenient.
Generating a Key Pair with ssh-keygen
The ssh-keygen
command can be used to generate a key pair. Here is how to use it:
ssh-keygen
For a stronger key pair, use:
ssh-keygen -t rsa -b 4096 -C $comment
Note: When prompted, hit Enter for each prompt.
Uploading the Public Key to the Remote Host
There are two ways to upload the public key: manually and automatically.
Automatic Upload
To automatically upload the public key, run:
ssh-copy-id user@remoteHost
Or specify the public key and port:
ssh-copy-id -i ~/.ssh/id_rsa.pub user@remoteHost
Manual Upload
To manually upload the public key, copy the public key content:
ssh user@remoteHost 'mkdir -p .ssh && cat >> .ssh/authorized_keys' < ~/.ssh/id_rsa.pub
Next, set the correct permissions on the remote host:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
After creating the authorized_keys
file and pasting the public key contents into it, we can log in without a password:
ssh user@remoteHost
Managing Sessions via SSH Profiles
SSH profiles are an elegant and efficient way to manage multiple remote logins. You can create several remote hosts on the SSH profiles as shown:
cat >> ~/.ssh/config << EOF
Host HOST01
HostName 123.123.123.33
Port 22
User user01
IdentityFile "~/.ssh/id_rsa"
IdentitiesOnly yes
Host HOST02
HostName 10.110.254.99
Port 2222
User user02
IdentityFile "~/.ssh/id_ecdsa"
IdentitiesOnly yes
EOF
Ensure that you set the correct permissions on the SSH profiles:
chmod 600 ~/.ssh/config
After setting up the SSH profiles, you can log in by simply entering the alias name:
ssh HOST01
Disabling Password Login
For security reasons, it is recommended to disable password login:
sudo sed -i "s@.*\(PasswordAuthentication \).*@\1no@" /etc/ssh/sshd_config
sudo service sshd restart
One-Key Configuration on SSH
Setting up a new remote host key login requires several steps such as key pair generation, permissions setting, public key upload, and password disabling.
However, we can upload all the public keys to Github SSH keys, and then deploy the public key with one command on the new remote host:
curl -fsSL https://github.com/$githubUser.keys >> ~/.ssh/authorized_keys
Also, disable the password and restart the SSH daemon:
sudo sed -i "s@.*\(PasswordAuthentication \).*@\1no@" /etc/ssh/sshd_config
sudo service sshd restart
Additionally, we can simplify the process using P3TERX’s SSH Key Installer:
bash <(curl -fsSL git.io/key.sh) -g $githubUser -d
Option | Description |
---|---|
-o | Enables overwrite mode. Must be written at the top to take effect. |
-g | Retrieves the public key from GitHub. The parameter is the GitHub username. |
-u | Retrieves the public key from a URL. The parameter is the URL. |
-f | Obtains the public key from a local file. The parameter is the path of the local file. |
-p | Modifies the SSH port. The parameter is the port number. |
-d | Disables password login. |
Deploying the Public Key
Here are some ways of getting the public key:
i. Get the public key from Github:
bash <(curl -fsSL git.io/key.sh) -g $githubUser
ii. Get the public key from a URL:
bash <(curl -fsSL git.io/key.sh) -u https://keyaddress.com/id_rsa.pub
iii. Overwrite mode will completely replace the previous key on /.ssh/authorized_keys
:
bash <(curl -fsSL git.io/key.sh) -o -g $githubUser
iv. Disable password login:
bash <(bash <(curl -fsSL git.io/key.sh) -d
v. Modify the SSH port:
bash <(curl -fsSL git.io/key.sh) -p 2222
Conclusion
Whether manually or automatically, managing SSH keys involves creating a secure key pair, uploading the public key to the intended device, and managing sessions using SSH profiles. For increased security, it is advisable to disable password logins. Various tools such as P3TERX’s SSH Key Installer can simplify these processes.