SSH stands for Secure Shell Host. It effectively allows you to access the terminal (shell) on a remote machine – securely.
There are two ways to validate your identity when attempting to access a server via SSH: password, or SSH key pair.
Password authentication is the default method: you run a command similar to
ssh myuser@myserver, and you will be prompted to provide the password for the user
myserver. Pretty straightforward. The only real weakness here is the password: it may not be secure enough, and it can always be brute-forced.
There are a few methods to improve the security of an SSH server. One might be to limit the number of failed attempts anyone is allowed to have at guessing the correct password before being blocked. Another might be to limit the number of connections per minute anyone is allowed to make.
But the most secure option seems to be using SSH key pairs. This uses a public/private key pair to validate the identity of the client. This means you can limit the clients whose requests are accepted to a predetermined whitelist, and block anyone who doesn’t pass the ID check.
Here’s how to set up SSH keys on your client machine:
- Check if you already have SSH keys: run cat
~/.ssh/id_rsa.pub. If this outputs something like
ssh-rsa <lots-of-random-characters>== firstname.lastname@example.org
then you already have SSH keys generated, so you can skip to step 5. You can, if you want, generate a new pair, but that will replace the old ones, so make sure you’re not using them! If
catcomplains that it cannot find the file, it means you don’t have any SSH keys yet – proceed with step 2.
Run the command
ssh-keygen -t rsa -C "email@example.com" -b 4096. This will generate a new 4096-bit SSH key pair.
You will be prompted to enter a location at which to store the keys. The default is
/home/your_username/.ssh/id_rsafor the private key and
~/.ssh/id_rsa.pubfor the public key. This is also the file SSH will use by default.
Enter a secure passphrase: this is optional, but recommended. This will encrypt your private key, improving security.
You now have two files in
~/.ssh/: one is
id_rsa, and contains your private key, and the other is
id_rsa.pub, and contains your public key. The public key you can give to a server or service, but NEVER show the PRIVATE key to anyone!! Doing so would compromise the security of this system! At best, never even display the contents of the file
Now that you have your SSH keys, you need to share your public key with the servers you want to connect to.
Services like GitHub or GitLab will have an online interface for this, where you can copy-paste the contents of
~/.ssh/id_rsa.pub to add a public key. A handy way of doing this is the program
xclip (which you may need to install first with
sudo apt install xclip):
cat ~/.ssh/id_rsa.pub | xclip
This will copy the contents of
~/.ssh/id_rsa.pub to your clipboard, so you can then paste them in the corresponding field.
On a custom server however, we will need to manually add this to the authorized keys on the server-side. To do this, we can use SSH:
cat ~/.ssh/id_rsa.pub | ssh myuser@myserver 'cat >> .ssh/authorized_keys'
SSH will prompt you for the password to
myuser, and then it will append your public key to the file
/home/myuser/.ssh/authorized_keys. After this, you will no longer be prompted for the password when connecting to
Disabling password access
As an added security measure, we can disable password access to the server completely. This means only computers which have an entry in the server’s
authorized_keys file will be allowed to connect. This way we prevent people from attempting brute-force attacks completely, as an SSH key is virtually impossible to guess.
In order to do this, you must access the server (either directly or via SSH), and open the file
/etc/ssh/sshd_config (e.g. with
nano /etc/ssh/sshd_config). Next, find the line
and change it to
Finally, restart the
ssh service to apply the changes:
sudo service ssh restart