Now that you have installed Ubuntu Server successfully, it’s time to setup SSH public key authentication, and disable the usual password login. But first thing first, let’s go through some details about SSH:
Secure Shell (SSH) is a protocol that runs on TCP connection with port 22, with the purpose of controlling the server using the command line as if one is controlling it physically. This protocol runs on the client-server model, with the server acting as server, and the computer you’re trying to login from as client. There are two ways to login: password and private key. The private key can be many diverse encryption algorithms, such as RSA (most common) and DSA, along with differing size, with current standards no lower than 2048 bits for RSA and 1024 bits for DSA. Keep in mind that doubling the key size will not double the strength of the encryption – the actual gain in strength is less than 30%. Bigger key size means more CPU usage on both the client and server, and thus shorter battery runtime.
In this public key authentication, there is a key pair: the server has a public key assigned to the username the client wants to login to, while the client has a private key. This private key can be further protected with a password, called a passphrase, which you should use. Whatever the case, keep the private key as if your life depends on it, as it’s the only way you can login to the server remotely!
So why should you disable password authentications?
- Private keys are far longer than any password you can think of
- You will expose the server to countless break-in attempts 24/7
- A username can have multiple private keys, with any leaked keys simply revoked
- The private key cannot be cracked using the usual password-cracking methods (brute force, dictionary attacks, and especiall social engineering)
- The private key is never sent to anyone, even the server you’re connecting to
- If you use keys with passphrase, the attacker will need to also guess the passphrase on top of finding the key
Linux and OS X already have an SSH client in the terminal:
$ ssh -p portnumber username@address
The option -p specifies the port number to use; you can skip it if the port number is the default 22. Windows users have several options:
- PuTTY, a free SSH client
- OpenSSH in Cygwin (if installed)
- Ubuntu Bash Shell (for Windows 10 build 14316 and higher only)
With Cygwin and Ubuntu Bash Shell, Windows users has a terminal just like on Linux and OS X.
Now it’s time to install SSH public key authentication in the server:
- First of all, we need to generate a private/public key pair. Linux and OS X users can use ssh-keygen in the terminal, while Windows users can use puttygen. In this example we’re using only ssh-keygen. We will generate a 2048-bit RSA key pair, so:
$ ssh-keygen -t rsa -b 2048
The default save location is ~/.ssh/id_rsa . Type your passphrase if you want it. Note that the public key is at the same location, but with .pub extension.
- Now we need to transfer the content of the public key to ~/.ssh/authorized_keys of the username in the server. From the client, assuming the public key is left at the default location:
$ cat ~/.ssh/id_rsa.pub | ssh username@address ‘cat >> ~/.ssh/authorized_keys’
Replace the username and address to your configuration.You might get an error saying the directory does not exist – this is the case if there hasn’t been the directory .ssh in the home directory yet. If so, we’ll need to login using the password then create this directory, or from the client:
$ cat ~/.ssh/id_rsa.pub | ssh username@address ‘mkdir ~/.ssh && cat >> ~/.ssh/authorized_keys’
You should rename the private key so that it’s no longer id_rsa, since it’s not descriptive and the file might get overwritten when you use ssh-keygen later. The challenge now is that you need to keep your private keys, well, private. The usual recommended way is to keep them in the client’s home directory and enable encryption there. If the client is Linux or OS X, you should keep them in ~/.ssh/. It’s also recommended to use an SSH agent, such as the excellent Keychain, available for both Linux and OS X. Ubuntu users can simply install it by:
$ sudo apt-get install keychain
SSH agents increase convenience so that you don’t need to specify the private key every time you login, and also remember the key’s passphrase, if there is. Once you have it installed, add the key to the agent:
$ keychain ~/.ssh/yourprivatekeyfile
Note that you need to do this on all the users you want to login to. Now you can try logging in and it will not ask for password or private key! We can now disable password authentication so that the only the way to login is with private key. To do that we need to login to the server using a username with administrative privileges (aka sudo):
- Edit the SSH server’s configuration file:
$ sudo nano /etc/ssh/sshd_config
- Find a line that says PasswordAuthentication, then change yes to no, and make sure that there’s no # before PasswordAuthentication
- Find a line that says PubkeyAuthentication, then change no to yes, and make sure that there’s no # before PubkeyAuthentication
- Close the text editor by pressing Ctrl+O then Ctrl+X.
- Restart the SSH server:
$ sudo service ssh restart
Now you have successfully installed SSH public key authentication on your server!
But at the moment you cannot access SSH from the Internet, only from the local network. To do this, you will need to configure port forwarding so that the router will forward the SSH traffic to the server. How to configure port forwarding depends on your router so I cannot really make a definite guide here; consult the manual or the manufacturer’s website. You should use a port number that’s very high, from 1000 to 65535. Use your public IP address or domain name instead of the server’s local address when you want to connect from outside, and specify port number using the option -p.