Using SSH Key to Connect to a Remote System
SSH, or secure shell, is an encrypted protocol used to manage and communicate with servers. You can connect to your server via SSH. There are a few different ways to login an SSH server. Public key authentication is one of the SSH authentication methods. It allows you to access a server via SSH without a password.
Creating SSH keys
List supported algorithms of SSH keys on your client and server:
$ ssh -Q key |
Output
ssh-ed25519 |
Choose an algorithm that supports both your client and server for generating an SSH key pair.
$ ssh-keygen -t {your_algorithm} -C "{your_comment}" |
We recommend using the ed25519 algorithm to generate your SSH key. The Ed25519 was introduced on OpenSSH version 6.5. It’s using elliptic curve cryptography that offers better security with faster performance compared to DSA, ECDSA, or RSA. The RSA is even considered not safe if it’s generated with a key smaller than 2048-bit length.
$ ssh-keygen -t ed25519 -C "mac_taogenjia@gmail.com" |
Output
Enter file in which to save the key (/Users/taogen/.ssh/id_ed25519): |
You can specify your SSH key’s filename. If you don’t want to change the filename, by default the private key filename is id_{algorithm} and the public key filename is id_{algorithm}.pub .
For security reasons, it’s best to set a passphrase for your SSH keys.
Coping the SSH public key to your server
Copying Your Public Key Using ssh-copy-id
The simplest way to copy your public key to an existing server is to use a utility called ssh-copy-id.
ssh-copy-id -i public_key_filepath username@remote_host |
For example
ssh-copy-id -i ~/.ssh/id_ed25519_remote_1.pub -p 38157 root@xxx.xx.xxx.xxx |
Copying Your public key using SSH
cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" |
cat ~/.ssh/id_rsa.pub: Output the file.mkdir -p ~/.ssh: Creating the~/.sshdirectory if it doesn’t exist.cat >> ~/.ssh/authorized_keys: append the standard output of the previous command of the pipeline to the file~/.ssh/authorized_keyson the remote host.
Configuring SSH
If there are multiple SSH keys on your local system, you need to configure which destination server uses which SSH key. For example, there is an SSH key for GitHub and another SSH key for a remote server.
Creating the SSH configuration file ~/.ssh/config if it doesn’t exist.
vim ~/.ssh/config |
Add the config like the folowing content
# GitHub |
SSH login with the SSH private key
If you have copied your SSH public key to the server, SSH login will automatically use your private key. Otherwise, you will need to enter the password of the remote server’s user to login.
$ ssh username@remote_host |
Disabling password authentication on your server
Using password-based authentication exposes your server to brute-force attacks. You can disable password authentication by updating the configuration file /etc/ssh/sshd_config.
Before disabling password authentication, make sure that you either have SSH key-based authentication configured for the root account on this server, or preferably, that you have SSH key-based authentication configured for an account on this server with sudo access.
sudo vim /etc/ssh/sshd_config |
Uncomment the following line by removing # at the beginning of the line:
PasswordAuthentication no |
Save and close the file when you are finished. To actually implement the changes we just made, you must restart the service.
sudo systemctl restart ssh |
References
[1] How To Configure SSH Key-Based Authentication on a Linux Server