-
- Joined
- Mar 22, 2026
-
- Messages
- 337
-
- Reaction score
- 0
-
- Points
- 0
SSH (Secure Shell) is an indispensable tool for remote administration, allowing you to securely connect to a server over an unsecure network. While password authentication is common, it's generally less secure and more vulnerable to brute-force attacks. A much stronger and recommended approach is to use SSH key-based authentication. This guide will walk you through setting it up.
Why Use SSH Keys?
SSH keys offer significant security advantages:
1. Generating Your SSH Key Pair
The first step is to generate a public and private key pair on your local machine (the client).
Open your terminal and run:
The command will prompt you for a location to save the key. The default (
Next, it will ask for a passphrase. It is highly recommended to use a strong passphrase. This encrypts your private key on your local machine, meaning even if someone gains access to your computer, they can't use your SSH key without the passphrase.
After generation, you'll have two files in your
2. Copying Your Public Key to the Server
Now you need to place your public key on the remote server you want to connect to. The public key must be appended to the
The easiest way to do this is using
You will be prompted for your remote server's password (the one you currently use to log in). After successful authentication,
If
This command:
1. Reads your local public key (
2. Pipes it over SSH to the remote server.
3. On the server, it creates the
4. Sets appropriate permissions for the
5. Appends your public key to
6. Sets appropriate permissions for the
Important Permissions: The
3. Testing the Key-Based Authentication
Once your public key is on the server, try to connect:
If you set a passphrase for your private key, you will be prompted for it. If successful, you should log in without entering the server's password.
4. Disabling Password Authentication (Highly Recommended)
For maximum security, once you confirm key-based authentication is working, you should disable password authentication on your server. This prevents any attacker from even attempting to guess your password.
On your remote server:
1. Edit the SSH daemon configuration file, typically
2. Find and modify/uncomment the following lines:
Ensure that
3. Save the file and restart the SSH service to apply changes:
Always keep at least one SSH session open while testing this change, in case you lock yourself out!
5. Using
If you use a passphrase for your private key, you'll be prompted for it every time you connect.
To start
You'll be prompted for your passphrase once. After that, you can connect to any server using that key without re-entering the passphrase until you close your terminal or the agent is stopped.
By following these steps, you've significantly enhanced the security of your remote server access, making it more robust against common attack vectors.
Why Use SSH Keys?
SSH keys offer significant security advantages:
- Stronger Authentication: Keys are much longer and more complex than typical passwords, making them virtually impossible to guess or brute-force.
- Automation: You can connect without typing a password, which is convenient for scripts and automated deployments.
- Enhanced Security: Even if your private key is compromised, it's often protected by a passphrase, adding another layer of security.
1. Generating Your SSH Key Pair
The first step is to generate a public and private key pair on your local machine (the client).
Open your terminal and run:
Bash:
ssh-keygen -t rsa -b 4096-t rsa: Specifies the key type as RSA. While newer algorithms like ED25519 are available and often preferred for their speed and security, RSA is still widely compatible.-b 4096: Sets the key length to 4096 bits, which is a strong, recommended size.
The command will prompt you for a location to save the key. The default (
~/.ssh/id_rsa) is usually fine.
Code:
Enter file in which to save the key (~/.ssh/id_rsa): [Press Enter]Next, it will ask for a passphrase. It is highly recommended to use a strong passphrase. This encrypts your private key on your local machine, meaning even if someone gains access to your computer, they can't use your SSH key without the passphrase.
Code:
Enter passphrase (empty for no passphrase): [Your Passphrase]
Enter same passphrase again: [Your Passphrase]After generation, you'll have two files in your
~/.ssh/ directory:id_rsa: Your private key (KEEP THIS FILE SECURE AND NEVER SHARE IT).id_rsa.pub: Your public key (This is what you'll share with servers).
2. Copying Your Public Key to the Server
Now you need to place your public key on the remote server you want to connect to. The public key must be appended to the
~/.ssh/authorized_keys file on the server.The easiest way to do this is using
ssh-copy-id:
Bash:
ssh-copy-id username@remote_hostusername: Your user account on the remote server.remote_host: The IP address or hostname of your server.
You will be prompted for your remote server's password (the one you currently use to log in). After successful authentication,
ssh-copy-id will add your id_rsa.pub content to the ~/.ssh/authorized_keys file on the server.If
ssh-copy-id is not available, you can do it manually:
Bash:
cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"This command:
1. Reads your local public key (
cat ~/.ssh/id_rsa.pub).2. Pipes it over SSH to the remote server.
3. On the server, it creates the
~/.ssh directory if it doesn't exist (mkdir -p ~/.ssh).4. Sets appropriate permissions for the
~/.ssh directory (chmod 700 ~/.ssh).5. Appends your public key to
~/.ssh/authorized_keys (cat >> ~/.ssh/authorized_keys).6. Sets appropriate permissions for the
authorized_keys file (chmod 600 ~/.ssh/authorized_keys).Important Permissions: The
~/.ssh directory on the server *must have 700 permissions (read, write, execute for owner only), and the authorized_keys file must* have 600 permissions (read, write for owner only). Incorrect permissions will prevent key-based authentication from working.3. Testing the Key-Based Authentication
Once your public key is on the server, try to connect:
Bash:
ssh username@remote_hostIf you set a passphrase for your private key, you will be prompted for it. If successful, you should log in without entering the server's password.
4. Disabling Password Authentication (Highly Recommended)
For maximum security, once you confirm key-based authentication is working, you should disable password authentication on your server. This prevents any attacker from even attempting to guess your password.
On your remote server:
1. Edit the SSH daemon configuration file, typically
/etc/ssh/sshd_config:
Code:
bash
sudo nano /etc/ssh/sshd_config2. Find and modify/uncomment the following lines:
Code:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM noEnsure that
PermitRootLogin is also set to no or prohibit-password for better security, preventing direct root logins.3. Save the file and restart the SSH service to apply changes:
Code:
bash
sudo systemctl restart sshd
# Or for older systems:
# sudo service sshd restartAlways keep at least one SSH session open while testing this change, in case you lock yourself out!
5. Using
ssh-agent for ConvenienceIf you use a passphrase for your private key, you'll be prompted for it every time you connect.
ssh-agent can help by holding your decrypted private key in memory for the duration of your session, requiring you to enter the passphrase only once.To start
ssh-agent and add your key:
Bash:
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsaYou'll be prompted for your passphrase once. After that, you can connect to any server using that key without re-entering the passphrase until you close your terminal or the agent is stopped.
By following these steps, you've significantly enhanced the security of your remote server access, making it more robust against common attack vectors.