SSH stands for “secure shell”, and is a network protocol that allows you to securely send commands to a remote machine. SSH is pretty secure, but it does have one weak link – the password. If someone cracks your SSH password, they can gain control over your SSH server.
A more secure method of SSH logons is to use a public/private key. With a public/private key, you create a matched pair of private and public keys. You keep the private key on your personal machine, while you put the public key on the SSH server to which you wish to connect. When configured in this manner, the SSH server will only allow connections from systems that have a matching private key for one of the public keys.
In this post, we’ll show you how to set up key-based logons for SSH in Ubuntu 11.10 Oneiric Ocelot.
First, install OpenSSH server on your server. You can find directions on how to do so here. For the rest of this walkthrough, we’ll assume that you installed the SSH server on a machine with the IP address of 192.168.1.100, and that you intend to connect to that server from a client machine with the IP address of 192.168.1.200.
After SSH server has been installed, go to your client machine at 192.168.1.200 and enter this command:
ssh-keygen -t dsa
Press Enter, and the command will save a matched public/private key in the ~/.ssh directory. Specifically, it creates two files – id_dsa, which is your private key, and id_dsa.pub, which is your public key. It will also ask you to set a passphrase for the use of the key, which is an additional layer of security in case someone gains access to your account. Setting a passphrase is usually a good idea.
After the command is complete, you’ll need to transfer the newly created id_dsa.pub public key file to your SSH server at 192.168.1.100. Once you have moved it to your server, copy the file to your user account’s ~/.ssh directory on the server. (If this directory does not already exist, create it with the mkdir command.) Next, change to the ~/.ssh directory, and use this command:
This will create a file to store authorized keys in the ~/.ssh directory. Use this command to add your public key to the authorized_keys file:
cat id_dsa.pub >> authorized_keys
Finally, use the chmod command to make authorized_keys read-only to protect from accidental deletion:
chmod 400 authorized_keys
Finally, you’ll need to alter your SSH server’s configuration file to mandate key-based logins, otherwise the server will continue to allow password-based login. Use the vi editor to edit SSH’s main configuration file:
sudo vi /etc/ssh/sshd_config
Once editing the file, make sure the PasswordAuthentication directive is set to no. This will force your SSH server to only allow key-based login attempts. Once you’ve finished editing the file, restart your SSH server with this command:
sudo service ssh restart
Your SSH server will not only permit key-based logons – users must have a private key that matches with a corresponding public key in their ~/.ssh/authorized_keys file in their home folder on the SSH server.
Make sure to back up your private key in a safe place – if you lose it, you will lose access to the SSH server.