Secure Linux Login Connection
ssh-key.jpgIntroduction
SSH offers two methods of authentication: password and key pair authentication.
- Password Authentication: While simple passwords are easily remembered, they are also easily compromised through brute force attacks. On the other hand, complex passwords, though safer, are challenging to remember.
- Key Pair Authentication: This method involves a combination of a public key and a private key. The public key is placed on the device that one wishes to access, while the private key is stored on the user's local machine. Only the holder of the private key can access the device, making this method secure and convenient.
Generating a Key Pair with ssh-keygen
The ssh-keygen command can be used to generate a key pair. Here is how to use it:
ssh-keygenFor a stronger key pair, use:
ssh-keygen -t rsa -b 4096 -C $commentNote: When prompted, hit Enter for each prompt.
Uploading the Public Key to the Remote Host
There are two ways to upload the public key: manually and automatically.
Automatic Upload
To automatically upload the public key, run:
ssh-copy-id user@remoteHostOr specify the public key and port:
ssh-copy-id -i ~/.ssh/id_rsa.pub user@remoteHostManual Upload
To manually upload the public key, copy the public key content:
ssh user@remoteHost 'mkdir -p .ssh && cat >> .ssh/authorized_keys' < ~/.ssh/id_rsa.pubNext, set the correct permissions on the remote host:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keysAfter creating the authorized_keys file and pasting the public key contents into it, we can log in without a password:
ssh user@remoteHostManaging Sessions via SSH Profiles
SSH profiles are an elegant and efficient way to manage multiple remote logins. You can create several remote hosts on the SSH profiles as shown:
cat >> ~/.ssh/config << EOF
Host HOST01
HostName 123.123.123.33
Port 22
User user01
IdentityFile "~/.ssh/id_rsa"
IdentitiesOnly yes
Host HOST02
HostName 10.110.254.99
Port 2222
User user02
IdentityFile "~/.ssh/id_ecdsa"
IdentitiesOnly yes
EOFEnsure that you set the correct permissions on the SSH profiles:
chmod 600 ~/.ssh/configAfter setting up the SSH profiles, you can log in by simply entering the alias name:
ssh HOST01Disabling Password Login
For security reasons, it is recommended to disable password login:
sudo sed -i "s@.*\(PasswordAuthentication \).*@\1no@" /etc/ssh/sshd_config
sudo service sshd restartOne-Key Configuration on SSH
Setting up a new remote host key login requires several steps such as key pair generation, permissions setting, public key upload, and password disabling.
However, we can upload all the public keys to Github SSH keys, and then deploy the public key with one command on the new remote host:
curl -fsSL https://github.com/$githubUser.keys >> ~/.ssh/authorized_keysAlso, disable the password and restart the SSH daemon:
sudo sed -i "s@.*\(PasswordAuthentication \).*@\1no@" /etc/ssh/sshd_config
sudo service sshd restartAdditionally, we can simplify the process using P3TERX's SSH Key Installer:
bash <(curl -fsSL git.io/key.sh) -g $githubUser -d| Option | Description |
|---|---|
| -o | Enables overwrite mode. Must be written at the top to take effect. |
| -g | Retrieves the public key from GitHub. The parameter is the GitHub username. |
| -u | Retrieves the public key from a URL. The parameter is the URL. |
| -f | Obtains the public key from a local file. The parameter is the path of the local file. |
| -p | Modifies the SSH port. The parameter is the port number. |
| -d | Disables password login. |
Deploying the Public Key
Here are some ways of getting the public key:
i. Get the public key from Github:
bash <(curl -fsSL git.io/key.sh) -g $githubUserii. Get the public key from a URL:
bash <(curl -fsSL git.io/key.sh) -u https://keyaddress.com/id_rsa.pubiii. Overwrite mode will completely replace the previous key on /.ssh/authorized_keys:
bash <(curl -fsSL git.io/key.sh) -o -g $githubUseriv. Disable password login:
bash <(bash <(curl -fsSL git.io/key.sh) -dv. Modify the SSH port:
bash <(curl -fsSL git.io/key.sh) -p 2222Conclusion
Whether manually or automatically, managing SSH keys involves creating a secure key pair, uploading the public key to the intended device, and managing sessions using SSH profiles. For increased security, it is advisable to disable password logins. Various tools such as P3TERX's SSH Key Installer can simplify these processes.