SSH Key based authentication

Traditionally you would use passwords for authenticating a client to an SSH server. SSH key based authentication achieves the same effect, but utilizes a cryptographically secure key pair consisting of a public key and a private key that is far more complex than any password. For on-premise devices such as desktop workstations and file servers, password based SSH authentication may be acceptable, but for public internet facing servers you should certainly use key based authentication or alternatively a site-to-site VPN (Virtual Private Network) paired with multi-factor authentication.

Some VPS providers (Virtual Private Server) such as DigitalOcean may have already walked you through this process when initially creating the virtual environment. If this was the case, then it was likely configured for the root user login which is a bad security stance if you intend to keep it around. This will be address later in the "Hardening SSH configuration"^[1] guide, in the meantime go ahead and setup a key pair.

From your host desktop / laptop computer (not to be confused with the server you will be configuring for SSH), create an RSA key pair. Save the key pair wherever you want, but don't lose it!

You will be prompted to set a passphrase; don't skip this, do it, and make it complex.


          
            
              
                Output:
              
              
                Enter passphrase (empty for no passphrase):

Once the public and private key pair are generated, you should consider storing them somewhere safe. You can locate the keypair on your filesystem in "~/.ssh/".


          
            
              
                /home/$USER/.ssh/id_rsa
              
              
                /home/$USER/.ssh/id_rsa.pub

Now go ahead and remote into your server. The following command assumes that you already have a running SSH service on your server. If you do not yet have a running SSH service, then use whatever means that is currently available to access your server.


          
            
              
                ssh userid@server-ip-address

Note

You should set your servers root user password now if you haven't already. Keep this stored somewhere safe because you will be needing it later.

You can set the root user password with the passwd command as seen in the following example output.


                
                  
                    
                      passwd
                    
                    
                      Changing password for root.
                    
                    
                      (current) UNIX password: ************
                    
                    
                      Enter new UNIX password: ***************
                    
                    
                      Retype new UNIX password: ***************
                    
                    
                      passwd: password updated successfully

Create a user group to be reserved for SSH users and a user account to be dedicated for SSH access requests. The user account should have a home directory on the file system and will be applied to the SSH user group.

You can apply other users to the SSH group in the future if necessary. For each user that requires SSH access, you'll have to repeat this routine, beginning with generating a key pair.

Note

It is best practice to use separate SSH keys for each user. If you intend to allow other users SSH access to your system, then they should each have their own public and private key pair.


          
            
              
                groupadd ssh_users
              
              
                useradd -m sid
              
              
                passwd sid
              
              
                usermod -aG ssh_users sid

Switch to the new user account and create an SSH config folder in his home directory.


          
            
              
                su sid
              
              
                mkdir -p ~/.ssh

Now copy the contents of the public key "id_rsa.pub" from your host into an "authorized_keys" file onto the server within the ~/.ssh/ directory you created. You can use a text editor such as VIM to open authorized_keys as a new file, then copy the contents of the public key from your host and paste it into the VIM editor.


          
            
              
                vi ~/.ssh/authorized_keys


          
            
              
                ssh-rsa AAAAB3NzaC1yc2EAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx4w== sid@PC1

Set the following file permissions recursively on the ~/.ssh/ directory. Only the owner should be allowed to read the contents of the ~/.ssh/ directory.


          
            
              
                chmod -R go= ~/.ssh

Exit from the user's session to switch back to the root user. You'll want to make the user's "~/.ssh/" directory immutable to prevent anyone from ever possibly modifying or removing it. This may seem an unpractical step, but if you have multiple users with SSH access to your server, it would be a wise precaution or else one of them could modify their authorized_keys file to allow for multiple different keys or accidentally remove their SSH configuration directory.

If your SSH users have access to the root account credentials or sudo privileges, then this may be a pointless endevour.


          
            
              
                exit
              
              
                chattr -R +i /home/sid/.ssh

Now that your SSH key is configured, you should disable password authentication for SSH.


          
            
              
                 vi /etc/ssh/sshd_config


          
            
              
                PasswordAuthentication no

Reload the SSH daemon.


          
            
              
                systemctl restart sshd

Keep your current console with the active SSH session open. Open a second console and verify that key based authentication is now working.


          
            
              
                ssh user@server-ip-address

If you configured a passphrase for your key pair, then you should see the following similar output.


          
            
              
                Enter passphrase for key '/home/user/.ssh/keys/id_rsa':

Notes

If you need to modify an immutable file, you will have to unset the chattr attribute first.


          
            
              
                chattr -i /path/to/file

References

1. http://emhmki.org/guides/ssh/guide_ssh_config_hardening.html

[Return to top]