Use Public Key Authentication with SSH - Part Two

shape
shape
shape
shape
shape
shape
shape
shape
Use Public Key Authentication with SSH - Part Two

If you had not read our previous guide on Securing your Server by Password authentication you can Read here https://www.cassavahub.com/blog/how-to-secure-your-server-by-disabling-root-login-access-part-one,   

 in this guide we shall cover a higher level of securing your Server by using public key authentication. 

Prerequisite

  1. Access to a digital ocean droplet
  2. Have root access to the droplet

Suppose you are working with a Configuration Management tool like ansible, enabling key based login will help you automate some tasks, using key based login also improves your server security as an hacker will need to have access to your private key in order for them to access the site. 

How ssh keys work for authentication

when generating ssh keys using this command

ssh-keygen -b 4096 

two important files will be created idrsa which acts as the private key and id_rsa.pub which is the public key,  you are required not to share the private key as anyone having access to it can easily gain access to the server, the public key can be shared freely as it used to encrypt messages that can only be decry-ted by the associate private key. 

The public key is then copied to the server that you want to authenticate with, it is copied to the path ~/.ssh/authorized_keys

Incase you need a guide on generating ssh keys, if you run the command ssh-keygen -b 4096 , you will be asked where you want  to store the file, you need to pass the absolute path or you can click enter if you wish to override the keys path: 

Enter file in which to save the key (/home/cassava/.ssh/id_rsa): 

Next, you will be prompted to enter a passphrase for the key. The passphrase is a key that will be used to encrypt the private key file on disk. using a passphrase will prompt you for the passphrase each time you access the droplet via ssh. Based on your needs you can add a passphrase or press enter if you choose not to.

Once you have setup your ssh keys you need to copy your public key, which is located in the default path /home/user_name/.ssh/id_rsa or the absolute path you specified.

cat  ~/.ssh/id_rsa.pub 
 

Copying your Public Key to Server

You can access your server using ssh, 

ssh username@ip_address

create a folder .ssh if it does not exists in the user home directory

mkdir .ssh

Enter into the created folder and create a file authorized_keys where ssh performs key validation to, A user’s authorized_keys file can store more than one public key, and each public key is listed on its own line.

cd .ssh && vim authorized_keys

you can also copy using rsync as highlighted with our rsync tutorial here https://www.cassavahub.com/blog/5-linux-commands-for-developers-2020-linux-cheat-sheet

you can test login with public key with 

ssh username@ip_address

once it works, we can disable password login

Disabling Password Authentication on your Server

Before completing the steps in this section, make sure that you either have SSH key-based authentication configured for the root account on this server, or preferably, that you have SSH key-based authentication configured for an account on this server with sudo access. This step will lock down password-based logins, so ensuring that you have will still be able to get administrative access is essential.

To disable Root authentication we edit the sshd_config file with your favorite editor, you will need root permission to do so

sudo vim /etc/ssh/sshd_config 
 

locate the line PasswordAuthentication and change to no

PasswordAuthentication no

For the changes to reflect restart ssh service

in debiand based system, use 

systemctl restart ssh

in Rhel based system run 

systemctl restart sshd

You have successfully secured your server using public key encryption, comment on additional topics that you need us to cover :)

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *