The best way for power webmasters to manage a remote server is via SSH. The most secure way to manage your server via SSH is using password-less SSH encryption logons. Passwordless entry into your servers make it so that account users won’t be allowed to type in a username and password to gain entry. Only computers with its SSH encryption keys already on the servers will be allowed entry.
This is the most effective way of making sure that your servers are protected. We use passwordless entry on all our hosts.
Normal SSH implementations allow for all account holders to type in their account username and password to gain access to the server. This makes it easy for the bad guys to try a brute force attempt to gain access, although there are other tools in place to prevent these types of attacks.
Removing the password option from SSH is, in my opinion the best and most secure method to use SSH against brute force attacks and others. This should be implemented on all your servers. This brief tutorial is going to show you how to implement a passwordless logon to your Ubuntu 14.10 servers.
Here’s how it is setup. The client computer must upload its public key to the SSH server’s authorized_key file. Before access is granted, the server and client computer validate the private/public key pair. If the public key on the server matches the private key submitted via the client, access will be granted.
To get started, go and install SSH server if you haven’t already done so. To do that, run the commands below.
sudo apt-get -y install openssh-server
Next, run the commands below to start SSH server
sudo service ssh start
At this point all account holders on the server will have access to the server via SSH using their usernames and passwords combinations. This is obviously not secure. Continue below with implementing a passwordless logon.
- Generating the client SSH key
To generate the client’s SSH key, run the commands below
ssh-keygen -t rsa
After running the commands above, you will be shown the lines below:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mobaxterm/.ssh/id_rsa): Press Enter
Enter passphrase (empty for no passphrase): Press Enter
Enter same passphrase again: Press Enter
After that, the system key will be generated and saved in the home directory of the user running the commands (/home/username/.ssh/id_rsa)
After that, the next step will be exporting the client public key to the server. Only clients with their public keys on the server will be allowed to logon to the server. To export the key, run the commands below.
ssh-copy-id user@server_ip_address or hostname
If the commands was successful, you’ll see the message below.
Permanently added ‘192.168.107.194’ (ECDSA) to the list of known hosts.
/usr/bin/xauth: file /home/richard/.Xauthority does not exist
Now try logging into the machine, with “ssh ‘firstname.lastname@example.org′”, and check in:
to make sure we haven’t added extra keys that you weren’t expecting.
Now, that the client key is uploaded to the server, go and turn off password logon option for SSH. To do that, sign onto the server and run the commands below to open SSH configurations file.
sudo vi /etc/ssh/sshd_config
When the file opens, make the following changes below and save the file.
Save the file and restart SSH server.
sudo service ssh restart
Now try logging in again from the client computer with the its SSH key already uploaded.