One secure and easy way of logging in to your remote server is by means of SSH keys. Basically you generate an SSH public/private key pair on your local machine, you put the public key on the remote server and the private key on you local machine, that way people trying to login on the remote box must have a matching private key. Here’s how i’ve done it.
Step 1 – Generating the key pair
First, in our local machine, we create the place to store our key pair and then we generate the key pair.
$ cd ~
$ mkdir .ssh
$ ssh-keygen -t rsa
Just accept the default location for the keys ~/.ssh. Personally i leave the password empty but you can use a password if you like.
Two files were created inside .ssh: id_rsa and id_rsa.pub, this last one is the public key and it’s the one that has to be installed on the server.
Step 2 – Installing the private key on the server
Now we copy the public key to the remote server, we’ll use scp (secure copy) to do this the following line is run on the local machine.
scp ~/.ssh/id_rsa.pub firstname.lastname@example.org:/home/myself/
We have copied the file to the remote server but we still need to properly set it up, on the remote machine run :
$ mkdir /home/myself/.ssh
$ mv /home/myself/.ssh/id_rsa.pub /home/myself/.ssh/authorized_keys
Now we must fix the permissions.
$ chown -R myself:myself /home/.ssh
$ chmod 0700 /home/myself/.ssh
$ chmod 0600 /home/myself/.ssh/authorized_keys
And voilá, the hard part is done, now we just check sshd configuration and disable Password Authentication.
Step 3 – Finishing up
$ sudo nano /etc/ssh/sshd_config
In this case i’ll disable password authentication in sshd, this way as long as i have the correct ssh keys installed i can login without typing my password.
Also, i believe it’s always better to disable ssh root login and rely on sudo (remember to setup sudo permissions for your user first), i believe this to be particularly important when disabling ssh password authentication.
I also change the port for some small extra security. Look for the following lines (they might not be in this order or they might not contain these same values):
change the port to whichever port you desire to use, change the other two values both to no.
Next we restart sshd and it’s done.
$ sudo /etc/init.d/ssh restart
Assuming everything went ok with the previous steps you can now login from you local machine.
$ ssh email@example.com
Last login: Mon Aug 17 22:13:50 2009 from 126.96.36.199
firstname.lastname@example.org$ echo $PWD
I hope this works for you as it did for me, i can’t recommend enough that you go through SSH documentation to gain a better understanding on it’s inner workings and recommended security practices.