In previous tutorials in this series, we went over generating SSH keys and how to use them. We’ll wrap up the series by showing you how to turn off password authentication on your server.
Why Configure for SSH Key Authentication Only
As mentioned in Part 1, SSH key authentication requires both “something you know” (the passphrase) and “something you have” (the SSH private key file). Some attacker on the other side of the world might guess or brute force your password, or if you’re sloppy you might reuse it on some breached web site. But none of that matters if the bad guy doesn’t have your SSH private key file.
This doesn’t mean you shouldn’t still use strong passphrases with your SSH private key file. If for some reason, your client system (such as your home PC or laptop) was compromised, then security rests with this passphrase, so follow normal best practices for strong passphrases.
Disabling Password Authentication
First, test that SSH key authentication works (see Part 2) so you don’t lock yourself out.
Using your favorite editor (such as vi or nano), edit the /etc/ssh/sshd_config file. The location is the same on both Debian- and CentOS-based systems.
sudo vi /etc/ssh/sshd_config
Change these lines as follows:
PubkeyAuthentication yes PasswordAuthentication no
Then restart sshd:
systemctl restart sshd
Now try to login. Here I will use an account that was setup and has not had an ssh key configured:
$ ssh testuser@myserver Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Wrapping Up
Here are the key takeaways from this series:
- SSH key authentication is based on public key encryption. The private key should be zealously protected. On the other hand, the public key does not need to be kept secret. The public key is what is installed on various servers you wish to connect to.
- SSH key authentication is superior to passwords because it requires the user to have the SSH key file in his/her possession, not merely know a secret passphrase.
- You should set a solid passphrase on your SSH private key file in case it is lost/stolen/compromised.
- The ssh-copy-id utility allows you to very easily setup your SSH key on remote systems if you have a Linux or macOS client. On Windows, you’ll need to proceed with manual steps.
- Disabling password authentication on your servers completes the security setup. Once done, the security of your server is significantly improved.
Related Posts:
- The Awesome Curated Universe - December 17, 2024
- Win Authority: Cheap VPS Offers in Seattle ! - December 16, 2024
- I Don’t Have Time to Win the Hutter Prize, So Maybe You’d Like to Snag 500’000€ With My Idea - December 15, 2024
Leave a Reply