Lately, I’ve been implementing a solution to make SSH connections more secure and manageable (i.e., getting away from password authentication). A couple of benefits public-key authentication has over the default password authentication is:

  • Memorize only the passphrase of your private key rather than possibly dozens of username/password combinations for remote hosts.
  • A password sent across the network, even protected by an SSH secure channel, can be captured when it arrives on the remote host if that host has been compromised.

Steps

  1. Generate the key pair.

RSA authentication will need a passphrase to encrypt the private key. It’s highly recommended to create a strong passphrase for the private key. A strong passphrase is at least 10 - 15 characters long and not a grammatical sentence. The following command creates a 4096-bit RSA key pair and also prompts you for a passphrase:

ssh-keygen -t rsa -b 4096
  1. Identify and copy the authorized keys.

Now that you generated a public-key file, you can simply place that key in a remote account on any machine running the SSH server (usually named sshd). Once you’ve set up the account properly, your private key will allow easy access to it.

To allow access to an account, simply create the $HOME/.ssh/authorized_keys file. The file contains one key per line. Here is one example that will copy the public key to the remote host account:

cat $HOME/.ssh/id_rsa.pub | ssh user@remotehost 'mkdir -p $HOME/.ssh; cat >> $HOME/.ssh/authorized_keys'
  1. Secure the SSH directory and file.

Verify (or set) the permissions, on the remote host account, for the .ssh directory and the authorized_keys file.

chmod 0700 $HOME/.ssh
chmod 0600 $HOME/.ssh/authorized_keys
  1. Modify the SSHD configuration.

By default, the account password still allows access to the account. You can disable this feature in the OpenSSH sshd by modifying /etc/ssh/sshd_config (or the equivalent on your system) and adding (or modifying) this line:

PasswordAuthentication no

Also verify the PubkeyAuthentication property of the /etc/ssh/sshd_config file is enabled.

PubkeyAuthentication yes