Accessing Your Server via SSH Keys
The past couple of weeks I have found myself dabbling in a number of system / network centric tasks. In the process I have been configuring a number of servers and thinking through a number of initial tasks that need to be taken. From time to time I find myself compelled to take a few minutes to summarize the steps not only to benefit readers but myself later on.
Here is a quick post that will show you how to enable access to your server via SSH keys in the place of passwords.
If you’re not familiar with SSH, its good to take a minute to educate yourself on the protocol.
SSH stands for Secure Shell. It’s a method of communicating with your server securely and should be your preferred method of communication. It’s not a protocol that allows you to transfer files, this is an important distinction. If using SSH and you need to transfer files, you’re going to want to leverage SFTP, Secure FTP, or Secure Copy (SCP).
In this example we’re going to be working on two different machines, they’ll be categorized as follows:
- Host A: Server
- Host B: Local Machine
Step 1 – Create The Key Directory2>
The first thing you’re going to want to do is configure the .ssh directory on your server – Host A. It’s not likely it’s there by default, so the quickest an easiest way is to run the following command:
# ssh-keygen -t rsa
Assumption is made that you already have SSH enabled, might not be by default. You can check the version of SSH by running:
# ssh -V
You run the command above to generate a key, but more importantly because it creates the .ssh directory and sets the appropriate permission by default, so with it you’ve cut down a few manual steps.
Step 2. Transfer Key Host B to Host A2>
The next thing you want to do is transfer your public key from Host B to Host A.
Yes, you do need to have the keys on your local environment, in our case Host B. If you need a key locally, that’s ok, just run the command from Step 1.
The quickest way to get your key to the server is by using SCP. To do so, you can use the following command:
# scp [name of public key] [username]@[host A IP or server name]:[path where you want to put file]
If you’re still confused, it’d look something like this:
# scp mypublickey.pub firstname.lastname@example.org:root/
Step 3. Create your Authorized_Keys file
The last thing you’re going to do is copy the content of your public key, from Host B, into the Host A authorized keys files. This file is going to go into your servers, Host A, .ssh directory. If you’re wondering, after running the command in Step 1 you’re likely to see the following files in the directory:
- id_rsa – private key
- id_rsa.pub – public key
After logging into the server, you want to navigate to the directory in which you pushed the public key from Host B. Once there, you can run the following:
cat mypublickey.pub >> ~/.ssh/authorized_keys
Don’t worry about the file not existing, it’ll be created when you run the command.
Step 4. Set the permissions on Authorized Keys2>
The last thing to do is set the right perms on the file, quickest way is to run the following:
chmod 600 ~/.ssh/authorized_keys
Step 5. Verify It Works
The first thing I do is verify the key copied ok, easiest way for me is to open it:
# vi ~/.ssh/authorized_keys
Then I log out of the server, and on my local machine, Host B, I try to SSH into the server:
# ssh root@email@example.com
If all is configured correctly, it should ask you for the passphrase for the .ssh directory. Once you type that in it should let you into the server with out a password.
If it doesn’t, then try starting over.. :)
Once you confirm that everything is working good, and if you’re paranoid enough, you can diable the use of password by navigating to your SSH configuration file:
# vi /etc/ssh/sshd_config
Find this setting and change it to Off:
# Disable password authentication forcing use of keys PasswordAuthentication off
That should be all you need to do to disable SSH access through the use of passwords.
Do you see a security difference between RSA and DSA-based keys? Which type is more secure?