#Set up key only auth for SSH.html
XXX:
>basic knowledge of public key cryptography
>the server holds a public key, while the client has a private key
which it will use for authentication
>this way we protect from brute forcing attacks and
optionally avoid having to enter a password manually when connecting
1. Create a key pair
Green( anon@Client )$ ssh-keygen
"Generating public/private rsa key pair."
"Enter file in which to save the key (/home/anon/.ssh/id_rsa):"
"Enter passphrase (empty for no passphrase):" [password]
"Enter same passphrase again:" [password]
"Your identification has been saved in ignore"
"Your public key has been saved in ignore.pub"
"The key fingerprint is:"
"SHA256:sAswBDPwdk6wqK8HSOvDBRUrJmYbA0O9i8ZAmTbxve0 anon@Client"
"The key's randomart image is:"
"+---[RSA 3072]----+ "
"|=o=.o o * | "
"|.Xx+o+ + a | "
"|+BB o.o . b | "
"|*o* o | "
"|+o* o...S | "
"|.=.B .+ r | "
"|+ ..+ oE | "
"| + .jklas8u | "
"| o. | "
"+----[SHA256]-----+ "
¤NOTES:
: if you're following this tutorial then the default probably good enough for you
[password] : optional password; your private key will be encrypted with this,
which makes it secure from being plainly stolen,
however do note that you'll have to enter it
whenever with every new ssh-agent session;
dont be afraid to leave it empty
2. Get the server's identifier
>if the server is located on the LAN use:
Red( root@Server )$ ip a
//look for the num string which fits the pattern:
192.168.0.
>if the server is located on WAN look up its IP online
>if the server has a register-ed domain use that
>NOTE: use whatever you got as "" from now on
3. Add the key to the server
Green( anon@Client )$ ssh-copy-id
>if the key location is not the default,
explicit-ly specify its path using the `-i` flag
and point it towards the `.pub` file
4. Login to the server
Green( anon@Client )$ ssh
>this step serves as both ground work for easing the next step and as a test
>if you're prompted for a password something went terribly wrong, do not proceed
5. Disable password authentication
Red( root@Server )$ ${EDITOR} /etc/ssh/sshd_config
¤add or modify lines to match the following rules:
PubkeyAuthentication yes
PasswordAuthentication no
6. Restart ssh server
Red( root@Server )$ systemctl restart sshd
Troubleshooting:
¤permissions
>ssh is very sensitive to the correct permissions on the server
(for understandable security reasons, but the error reporting ain't great)
:--------------:------------------------:
| Permission | File |
:--------------:------------------------:
: 755 : ~/ :
: 700 : ~/.ssh/ :
: 600 : ~/.ssh/authorized_keys :
:--------------:------------------------: