If you had not read our previous guide on Securing your Server by Password authentication you can Read here https://www.cassavahub.com/blog/how-to-secure-your-server-by-disabling-root-login-access-part-one,
in this guide we shall cover a higher level of securing your Server by using public key authentication.
- Access to a digital ocean droplet
- Have root access to the droplet
Suppose you are working with a Configuration Management tool like ansible, enabling key based login will help you automate some tasks, using key based login also improves your server security as an hacker will need to have access to your private key in order for them to access the site.
How ssh keys work for authentication
when generating ssh keys using this command
ssh-keygen -b 4096
two important files will be created idrsa which acts as the private key and id_rsa.pub which is the public key, you are required not to share the private key as anyone having access to it can easily gain access to the server, the public key can be shared freely as it used to encrypt messages that can only be decry-ted by the associate private key.
The public key is then copied to the server that you want to authenticate with, it is copied to the path ~/.ssh/authorized_keys
Incase you need a guide on generating ssh keys, if you run the command ssh-keygen -b 4096 , you will be asked where you want to store the file, you need to pass the absolute path or you can click enter if you wish to override the keys path:
Enter file in which to save the key (/home/cassava/.ssh/id_rsa):
Next, you will be prompted to enter a passphrase for the key. The passphrase is a key that will be used to encrypt the private key file on disk. using a passphrase will prompt you for the passphrase each time you access the droplet via ssh. Based on your needs you can add a passphrase or press enter if you choose not to.
Once you have setup your ssh keys you need to copy your public key, which is located in the default path /home/user_name/.ssh/id_rsa or the absolute path you specified.
Copying your Public Key to Server
You can access your server using ssh,
create a folder .ssh if it does not exists in the user home directory
Enter into the created folder and create a file authorized_keys where ssh performs key validation to, A user’s authorized_keys file can store more than one public key, and each public key is listed on its own line.
cd .ssh && vim authorized_keys
you can also copy using rsync as highlighted with our rsync tutorial here https://www.cassavahub.com/blog/5-linux-commands-for-developers-2020-linux-cheat-sheet
you can test login with public key with
once it works, we can disable password login
Disabling Password Authentication on your Server
Before completing the steps in this section, make sure that you either have SSH key-based authentication configured for the root account on this server, or preferably, that you have SSH key-based authentication configured for an account on this server with sudo access. This step will lock down password-based logins, so ensuring that you have will still be able to get administrative access is essential.
To disable Root authentication we edit the sshd_config file with your favorite editor, you will need root permission to do so
sudo vim /etc/ssh/sshd_config
locate the line PasswordAuthentication and change to no
For the changes to reflect restart ssh service
in debiand based system, use
systemctl restart ssh
in Rhel based system run
systemctl restart sshd
You have successfully secured your server using public key encryption, comment on additional topics that you need us to cover :)