OpenSSH or Secure Shell has become the default connection method to remote Linux servers. It comes pre-installed in most Linux distributions and works right out of the box. No need to configure, just install and it’s ready to start accepting connections.
Although SSH is secure and far better than most shell communication tools, leaving it as is after installing may not provide the best protection for your servers or secured resources. The best method is to install SSH server and enable power-less login using only encryption keys to login.
With this method, users who have access to the system won’t be allowed to type in passwords to access the system. Only computers with the correct public keys installed on the server will be allowed to access. This is far more secure than using passwords to sign into your servers.
Hackers and others who want to hack your systems won’t be able to because there’s no passwords login involved. The computer attempting access must already have its public keys on the server and without that, access will always be denied.
This tutorial is going to show you how to configure SSH securely to only allow encryption keys login also know as powerless login.
To get started, install OpenSSH onto your server. For this tutorial, I am using Ubuntu 15.04.
To install OpneSSH on Ubuntu, run the commands below.
sudo apt-get -y install openssh-server
After installing, start the server using the commands below
sudo systemctl start ssh
The server is started and ready to start accepting connections right away. By default SSH will allow anyone who has remote access to the systems using combination of a username and password to gain access.
Before configuring the server to not allow username and passwords, go and create the client authentication keys. To do that, run the commands below.
ssh-keygen -t rsa
You’ll be prompted to with the screen below.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mobaxterm/.ssh/id_rsa): Press Enter
Enter passphrase (empty for no passphrase): Press Enter
Enter same passphrase again: Press Enter
After that, the system’s key will be generated and saved in the home directory of the user running the commands (/home/username/.ssh/id_rsa)
Next, run the commands below to export your public key to the server key store. Only systems who present their private keys to match their public key stored on the server will be allowed.
ssh-copy-id user@server_ip_address or hostname
That will copy over the client’s public key.
Next, logon to the server and configure SSH to reject username and password logins. To do that, run the commands below to open SSH configuration file.
sudo vi /etc/ssh/sshd_config
Then make the changes below and save the file.
PubkeyAuthentication yes
AuthorizedKeyFile .ssh/authorized_keys
PasswordAuthentication no
PermitRootLogin no
ChallengeResponseAuthentication no
After saving the file, restart SSH server and test.. You should only able to login automatically without typing passwords.
To reload SSH new configuration, run the commands below.
sudo systemctl reload ssh
The next time you attempt to access your server, you won’t be prompted for username and password. You will automatically be granted access.
For others, not so much.. they will be denied automatically.
Enjoy!