Open SSH private/public authentication
OpenSSH key public key authentication, let users log into server without the need to use their user’s passwords.
It is possible to disable any other form of login into server, and let available only authentication based on ssh public key.
What is achieved, using this method is to avoid password break by brute force attacks.
For this method to work, three steps should be taken.
- Create a pair public / private key ssh
- Disable root login in the server
- Disable password login for any other user in the server
Create a pair of public / private key ssh
We will create our ssh key, and copy it to the server, so we can then log into it without need to enter the user password.
To create your public and private SSH keys on the command-line, do this on the computer you want to log into the server from:
Disable root login
Edit the file /etc/ssh/sshd_config
Disable password login for any other user in the server
Now, we need to lock the password of all other users in the server, except root, but remember that log in via root account using ssh is not permitted in the server, that way the only possible way to log into the server will be via, the public/private ssh key.
To lock the password of the rest of users, use this command.
chmod 700 ~/.ssh
ssh-keygen -t rsaThe operating system will ask you for a place to store the keys, and a pass-phrase, let the first with the default option, and use a good pass-phrase for the second, as a way to increase security. The output should look something like this:
Generating public/private rsa key pair. Enter file in which to save the key (/home/b/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/b/.ssh/id_rsa. Your public key has been saved in /home/b/.ssh/id_rsa.pub.Copy your key to the server
ssh-copy-id [username]@[host]Now you should be able to log into that server, without the use of your user password, you will be asked for the pass-phrase if you have set one.
vi /etc/ssh/sshd_config(you can use your favorite text editor)
I strongly recommend you to open two sessions if doing this from a remote connection, and never close one of them. Do this in case you need to roll back the configuration, this way you will not lock you out by mistake.locate this line with, writing this once editing with vi or vim
:/Protocolif it says
Protocol 2, 1change it to:
Protocol 2This will enable only ssh2 which is more secure that ssh, do not do this if you need to log with a client that only support ssh, and not ssh2 protocol. Next locate this line "PermitRootLogin yes" by entering this on your vi or vim editor
:/PermitRootLogin yesand change it to this:
PermitRootLogin noand save the file, with this:
sudo passwd -l [user]For every user, you have on that server that is allowed to log into it, it means, it has a shell. Alternate Method (Updated:10.11.10) As suggested by, Stephen, if you need local authentication, the above method of locking the users account is not possible, this is a better way: Edit the file
/etc/ssh/sshd_configand be sure this line is there:
PasswordAuthentication noThe default is yes. then restart ssh, and you are done.
You will need to repeat step 1, with all users, you want to have access to the server, before, locking their passwords, or share the keys using a thumb key memory or any other way.
Be sure to have physical access to the server, before locking yourself out, or test your keys, before doing it, failing to do so, may lock you completely out of the server, you have been warned
Note 2: If you are using some account as an admin account with sudo access, to the system, be sure to disable the password challenge, for that user using visudo, or you will not be able to use sudo again