ssh-key-login

< prev home next >
approximate reading time: 3 minutes
created by pur on 2022/04/07 - last changed on 2022/09/09

How to secure your ssh daemon?

If you don't think you need to harden your ssh daemon check out

sudo grep ssh /var/log/auth.log`

Create key pair

ssh-keygen

Copy public key to server

The easiest way is to use the command ssh-copy-id. It's as easy as

ssh-copy-id user@example.com 

Alternative: Copy Manually

Login to the server and append your public key file to ~/.ssh/authorized_keys or alternatively open ~/.ssh/authorized_keys with your favorite text editor and paste the line from your public keyfile into it. You can even append your public key from your local machine by using something like this

ssh user@example.com "echo \" `cat ~/.ssh/id*pub` \" >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

Breakdown:
Login as user on example.com and execute the following: echo all public keys stored in my local hidden ssh directory and on the remote machine append it to the file authorized_keys
. Finally, we set the correct permissions.

Change Configuration file

Turn off PasswordAuthentication by

echo "PasswordAuthentication no" | sudo tee -a /etc/ssh/sshd_config.d/local.conf

Of course you can also edit your /etc/ssh/sshd.conf, but it's cleaner to preserve the default config file and create your own local file for defining deviation from default. This has the advantage, that after a system upgrade your local configuration will be unchanged even if the default config file from the package changes.

Restart SSH Service

ATTENTION!!!
Make sure that you can connect via your key-pair before restarting the service. Ideally have a second terminal open with a connection to the remote server incase you lock your self out! After you've alter /etc/ssh/sshd_config.d/local.conf or /etc/ssh/sshd.conf restart the service to apply changes.

sudo systemctl restart sshd 

*TADA*