Remote login with SSH key pair

One secure and easy way of logging in to your remote server is by means of SSH keys. Basically you generate an SSH public/private key pair on your local machine, you put the public key on the remote server and the private key on you local machine, that way people trying to login on the remote box must have a matching private key. Here’s how i’ve done it.

Step 1 – Generating the key pair

First, in our local machine, we create the place to store our key pair and then we generate the key pair.

$ cd ~
$ mkdir .ssh
$ ssh-keygen -t rsa

Just accept the default location for the keys ~/.ssh. Personally i leave the password empty but you can use a password if you like.

Two files were created inside .ssh: id_rsa and id_rsa.pub, this last one is the public key and it’s the one that has to be installed on the server.

Step 2 – Installing the private key on the server

Now we copy the public key to the remote server, we’ll use scp (secure copy) to do this the following line is run on the local machine.

scp ~/.ssh/id_rsa.pub myself@sample.ponto-dot.com:/home/myself/

We have copied the file to the remote server but we still need to properly set it up, on the remote machine run :

$ mkdir /home/myself/.ssh
$ mv /home/myself/.ssh/id_rsa.pub /home/myself/.ssh/authorized_keys

Now we must fix the permissions.

$ chown -R myself:myself /home/.ssh
$ chmod 0700 /home/myself/.ssh
$ chmod 0600 /home/myself/.ssh/authorized_keys

And voilá, the hard part is done, now we just check sshd configuration and disable Password Authentication.

Step 3 – Finishing up

$ sudo nano /etc/ssh/sshd_config

In this case i’ll disable password authentication in sshd, this way as long as i have the correct ssh keys installed i can login without typing my password.

Also, i believe it’s always better to disable ssh root login and rely on sudo (remember to setup sudo permissions for your user first), i believe this to be particularly important when disabling ssh password authentication.

I also change the port for some small extra security. Look for the following lines (they might not be in this order or they might not contain these same values):

Port 22
PasswordAuthentication yes
PermitRootLogin yes

change the port to whichever port you desire to use, change the other two values both to no.

Port 6633
PasswordAuthentication no
PermitRootLogin no

Next we restart sshd and it’s done.

$ sudo /etc/init.d/ssh restart

Assuming everything went ok with the previous steps you can now login from you local machine.

$ ssh myself@sample.ponto-dot.com
Last login: Mon Aug 17 22:13:50 2009 from 113.67.154.27
myself@67.19.123.145$ echo $PWD
/home/myself
myself@67.19.123.145$

Conclusion

I hope this works for you as it did for me, i can’t recommend enough that you go through SSH documentation to gain a better understanding on it’s inner workings and recommended security practices.

Leave a Reply

Your email address will not be published. Required fields are marked *