Latest Article

Casbay News

Promotions

Casbay Events

Tips Sharing

aaa

Stay tuned with us

Upgrading to Private Key Authentication

How To Upgrade to Private Key Authentication

SSH is a safe way to connect to remote servers directly, but you can take a number of other steps to further ensure that your links are legitimate. The simplest and best way to do this is by using the SSH keys.

Authentication for SSH includes a public key and a private key— the public key can be freely shared on the internet, while never sharing your private key with anyone or taking it outside your local computer. You will align your private key with your public key for logging in by putting your public key on your VPS. This increases dramatically the security of the connection— SSH keys can be attacked by brute force almost impossible.

Create the SSH keys

First, create your keys on your local machine:

Create the SSH keys-create keys-local machine
Create the SSH keys-create keys-local machine

You’ll be prompted with a request on where to save the newly-created files.

Create the SSH-keys location save newly ceated files
Create the SSH-keys location save newly ceated files

The best option here is to type Enter and place the keys in their default location. Next, you’ll be asked for a passphrase.

Create the SSH keys-enter passphrase
Create the SSH keys-enter passphrase

There are advantages and disadvantages of deciding whether or not you encrypt your SSH key. Passphrases offer increased security — even if a hacker gets a private passphrase, they will figure their passphrase out before they can use it. The authentication with two factor is almost like SSH.

The solid, safe passphrase ensures that every time you use your key, you are required to type it. Take into account all the variables of your application–no passphrase or weak passphrase is appropriate when this is a personal server. Security is far more critical if your server hosts user data.

You’ll ask to enter the passphrase again, no matter your choice. The program will then give some additional output, and will create your keys. The public key (the one you may share) is located at /home/local-user/.ssh/id_rsa.pub . The private key is located at /home/local-user/.ssh/id_rsa .

Copy the SSH key to your server

Now, you need to copy your public key to the VPS that you want to log into. The easiest way to do this is to use the ssh-copy-id program.

Copy SSH key to server login SSH
Copy the SSH key to your server login SSH

If you don’t have that program available, you can also use the following command, which pipes the content of your public key file through SSH and appends the output to the end of the authorized_keys file on your server.

Copy the SSH key to your server-authorized_keys file
Copy the SSH key to your server authorized keys file

You’ll see some output related to connecting to the server and copying your public key into the authorized_keys file on the VPS. Now you can try logging in with SSH again. 

Copy SSH key to server public key
Copy the SSH key to your server public key

You will be sign in automatically if you did not secure your SSH key with a passphrase. SSH will order it if you use the passphrase. It’s important to remember that SSH needs a Passphrase for your SSH username, not one of your previous user passwords.

Disable password-based logins

You can improve safety by de-activating password-based logins for root users and others once you have ensured that you can log into your VPS using SSH keys.

Log into your VPS if you’re not already.

Disable password based logins login to VPS
Disable password based logins-login to VPS

Open up the SSH configuration file in your editor of choice. nano is a user-friendly option for those newer to Linux administration.

Disable password SSH configuration file
SSH configuration file

You’re looking for two lines: one that begins with PermitRootLogin and another that begins with PasswordAuthentication . Change them to the following:

Disable password PermitRootLogin Password Authentication

Finally, reload ssh to enable this change (for Ubuntu-based servers).

Disable password reload SSH to enable the change
Disable password reload SSH to enable the change

Now you will be able to log into your future root account using your SSH key. You cannot log into the root account directly.