Use SSH Key Authentication

This How To Use SSH Key Authentication helps you to increase security for SSH, but also to have an easier life with login. The how to further consists of additional system hardening options for your consideration. 

 

How To Setup SSH Key Authentication

How To Use SSH Key Authentication

 

Index of How To Use SSH Key Authentication

Background

If you would like to leverage on SSH for remote access to your remote computer, then I think this is a good option. There are different layers of security that you can achieve for securing the connection. The so called “key based SSH login”, whilst disabling remote login by password, is something that many cybersecurity experts recommend.

SSH key based login is leveraging on certificates which is for a number of good reasons seen by cybersecurity experts as far more secure than allowing login by password. It certainly avoids attacks based on password guessing. Additionally, if you leverage on login by SSH key, the user experience is far better.

There is one more point, you like to leverage on a strong cryptographic standard. Therefore, this How To leverages on Ed25519.

How To Use SSH Key Authentication 

Step 1: Generate Ed25519 Certificates

On your remote client run

ssh-keygen -t ed25519 -C "Your@E-MailAddress.com"

This will generate a new set of keys (private and public key). The output would look like the below. During the process, decide whether you like to set a passphrase for your private key.

pi@raspberry:~$ ssh-keygen -t ed25519 -C "Your@E-MailAddress.com"
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/openhabian/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/openhabian/.ssh/id_ed25519
Your public key has been saved in /home/openhabian/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:iic0RyBXlhKNmvr7OxS8z95dcdRi8EmQRpsXG1J3zeE OpenHAB3
The key's randomart image is:
+--[ED25519 256]--+
|  . +=o.   .=+=o=|
|   oooo     oB.B+|
|   + ..    .o OE.|
|  o o.       + . |
| .  oo. S   . .  |
|.  .o+ .     o   |
| . .ooo     .    |
|  . .oo. . .     |
|  .oo+. . .      |
+----[SHA256]-----+

That’s it.

Step 2, generate certificates on your computer

If you have on your computer (not the remote computer for which you created the certificates by the above) already a set of Ed25519 keys, then you can skip step 2. If you don’t have keys, please run step 2.

To create the keys on your “home” computer, run

ssh-keygen -t ed25519 -C "Your@E-MailAddress.com"

This will generate a new set of keys (private and public key). The output would look like the below. During the process, decide whether you like to set a passphrase for your private key. Since the private key in this case is the key that is required to login remotely, but also the key that you might like to use for login into other systems, it is recommended to set a passphrase to increase security.

Mike@Mac-Mini ~ % ssh-keygen -t ed25519 -C "Your@E-MailAddress.com"
Generating public/private ed25519 key pair.
Enter file in which to save the key (/Users/Mike/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /users/Mike/id_ed25519
Your public key has been saved in /users/Mike/id_ed25519.pub
The key fingerprint is:
SHA256:D38BRm81OT5jE5AtD+eCHXG77tNNQUhnC1jGk7Bsw3g test
The key's randomart image is:
+--[ED25519 256]--+
|          ..OX*+ |
|         .+oBBX+.|
|         .oEoO++ |
|         .+o+ Oo |
|        S   .o.+.|
|         +   o  .|
|          o . .o.|
|           . .. o|
|              .. |
+----[SHA256]-----+

Step 3, Copy Your Public Certificate To The Remote System

You have now on your let’s call it “home” PC as well as on your remote system a new set of Ed25519 keys. Each set consists of a public and a private key. The public key typically ends with “.pub”. In order to allow key based login, you need to let the remote system know what is your public key. For this reason we copy now the public key of your “home” system to the remote system. 

Therefore, run on the remote system the below command (if the file does not exist, than you create it):

nano /home/pi/.ssh/authorized_keys

Into this file you copy the public key of your home system, which most likely is stored in the file called “id_ed25519.pub”. 

Step 4, Test

Let’s test this now. Open on the home system another terminal window and run:

ssh -i .ssh/id_ed25519 YourUser@RemoteIPAddress

  • YourUser: should be the user name of the remote system. In a standard raspberry installation it is for example “pi”. In many Linux installations it is for example “root”
  • RemoteIPAddress: should be the IP Address of your remote system
  • .ssh/id_ed25519 -> Should be the directory on your home computer in which you have the private key file (which in this case ist simply called id_ed25519)

If you have run Step 1-3 well, then the login after execution of the command in step 4 should look like this:

Mike@Mac-Mini .ssh % ssh -i id_ed25519 pi@RemoteIPAddress
Linux raspberrypi 5.15.76-v7+ #1597 SMP Fri Nov 4 12:13:17 GMT 2022 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan  3 17:25:19 2023 from YOUR IP ADDRESS
pi@raspberrypi:~ $

Done & Enjoy! 

I however recommend to consider a couple of Hardening steps that you can find in the next chapter, Additional System Hardening.

Additional System Hardening

An important step in the system hardening process is to ensure the right configuration of SSH. SSH stores its configuration typically in a file called ssh.conf. Since we leverage on key based authentication, we would like to allow login by SSH key only, but not anymore by passwords. With this you mitigate the high risks related to passwords (Password guessing, brute force attacks, etc.).

Lets run on the remote system:

sudo nano /etc/ssh/sshd_config

  • /etc/ssh/sshd_config is where in this system the sshd configuration is stored. If this configuration is stored in a different directory in your system, then you need to adjust the path 

Within this file we activate ed25519 login only, whilst we deactivate password login. To do so, search for the below lines and adjust them as of the below:

HostKey /etc/ssh/ssh_host_ed25519_key
AuthorizedKeysFile     .ssh/authorized_keys 
PasswordAuthentication no
PermitEmptyPasswords no

It’s further a good idea to disable root login. However, ensure you have created another user first and you did run steps 1-4 with this other user first and before changing the below setting like the below:

PermitRootLogin no

Finally, its a good idea to disable protocol 1 (that is not considered secure anymore) and also to 

  • Protect Against Unattended Sessions (ClientAliveInterval)
  • Allow Only Selected Users To Login By SSH (in this example its the user “pi”)
  • Maximum Number Of Trying The Password (MaxAuthTries)

ClientAliveInterval 180
MaxAuthTries 3
AllowUsers pi
Protocol 2

Now we make the new configuration effective. Note: Keep one terminal window connected to your remote system open. This will ensure access if the configuration does not work.

Open a new terminal window and login into the remote system, whilst keeping one logged in connection to the remote system open. You now should have in a minimum 2 terminal windows which both are logged in to the remote system. This is good and you keep both of them open. In one of them you run:

sudo systemctl restart sshd

Once done, you open a 3rd terminal window and you try to login as described in step 4. If this works, you are fine and you can close the terminal windows. If it does not work, you should still have 1-2 terminal windows open that allow you to review the configuration and fix potential issues.

Additional Information of Use SSH Key Authentication

More information about SSH can be found here. If you interested into Ed25519, than you maybe like to checkout this.

Follow me

It would be amazing if you follow myHowTo.blog. To follow leverage on

  • Click to follow me on Twitter
  • Bookmark this page and comeback from time to time

Help and Comments

I am really looking forward for you to contact me if for example you found a better option or other idea then in this how to. Also, please touch base if you found an error or anything not working or if you have something that you would love to be added to this how to. Simply click this link to touch base with me.

Linking and Recommending the HowTo or the myhowto.blog

I would love to see you are recommending this how to or link it to your website. Also, I would love if you link or recommend the whole myhowto.blog. Please feel free to do so! In case you like to touch base regarding this topic with me, then simply click this link. I look forward!