Introduction to SSH and Authentication Options
Secure Shell (SSH) is a widely used protocol for establishing a secure connection between two networked devices. It is designed to provide a secure communication channel over an unsecured network.
Authentication is a critical component of SSH, as it is used to verify the identity of the connecting parties. There are two primary types of authentication systems: password-based authentication and public key-based authentication.
Password-based authentication is the most common form of authentication, where users are required to provide a password to access a system. This method is easy to implement, but it is highly vulnerable to brute-force attacks.
Public key-based authentication, on the other hand, relies on a pair of cryptographic keys, one public and one private, to authenticate. This method is more secure than password-based authentication and is widely used in SSH.
SSH-keygen Tool and its Purposes
The
ssh-keygen tool is used to create and manage SSH authentication keys. Generating SSH keys using
ssh-keygen is a simple and straightforward process that requires minimal technical knowledge.
SSH keys are used to authenticate users, servers, and applications in SSH sessions. SSH keys are considered to be more secure than password-based authentication because they use a combination of public and private keys.
Generating SSH Key Pairs using
ssh-keygen in Ubuntu
Creating Key Pairs Without Any Option
To create a key pair without any option in Ubuntu, open the terminal and type the following command:
ssh-keygen
This will create a key pair with the default filename id_rsa and empty password.
Creating Key Pairs With a Single Option
To create a key pair with a single option in Ubuntu, you can use the -t option to specify the type of key you wish to generate. The most common key type used is RSA.
To generate an RSA key type, use the following command:
ssh-keygen -t rsa
This will generate an RSA key with a default length of 2048 bits and an empty password. You can also set a password for your key by using the -N option followed by the desired password.
For example:
ssh-keygen -t rsa -N MySecurePassword
Creating Key Pairs With Multiple Options
To create a key pair with multiple options in Ubuntu, you can use a combination of options to generate a key of your desired specifications. For example, to generate an RSA key of 2000 bits with a custom comment value, use the following command:
ssh-keygen -t rsa -b 2000 -C “My Custom Comment”
This will generate an RSA key of 2000 bits with a custom comment value “My Custom Comment”. If you wish to overwrite an existing key file, use the -f option followed by the desired filename.
For example:
ssh-keygen -t rsa -b 2000 -C “My Custom Comment” -f ~/.ssh/my_new_key
This will generate a new RSA key of 2000 bits with a custom comment value “My Custom Comment” and save it to the file ~/.ssh/my_new_key.
Conclusion
Generating SSH keys using
ssh-keygen in Ubuntu is a simple and straightforward process that requires minimal technical knowledge. SSH keys are used to authenticate users, servers, and applications in SSH sessions.
Implementing SSH key-based authentication is considered a best-practice for securing SSH sessions, as it is more secure than password-based authentication.
Copying the Public Key to the Server
After generating an SSH key pair using
ssh-keygen in Ubuntu, the next step is to copy the public key to the server. The public key is used to authenticate the user or client, while the private key is used for encryption and decryption.
To copy the public key to the server, we need to add it to the authorized_keys file on the server. The authorized_keys file contains a list of authorized public keys for a particular user account on the server.
Here are the steps to add the public key to the authorized_keys file on the server:
1. Copy the public key from the client machine by running the following command in the terminal:
cat ~/.ssh/id_rsa.pub
2.
Log in to the server using SSH and navigate to the .ssh directory in your home folder by running the following command:
cd ~/.ssh
3. If the authorized_keys file does not exist, create it using the touch command:
touch authorized_keys
4.
Open the authorized_keys file using your preferred text editor:
nano authorized_keys
5. Paste the copied public key into the file and save it.
6. Set the correct permissions for the authorized_keys file by running the following command:
chmod 600 authorized_keys
This will set the file permissions to read and write only by the owner of the file.
Once the public key has been added to the authorized_keys file on the server, the client can now authenticate using the private key.
Modifying the Configuration File of the Server
SSH configuration files are used to control the behavior of the SSH server. They are located in the /etc/ssh/ directory on the server.
Here are some configuration modifications that can be performed to enhance SSH security:
Enabling Password-Based Authentication
Password-based authentication is the default authentication method used by SSH. However, this method is highly susceptible to brute-force attacks, making it less secure than other methods such as public key authentication.
If you must use password-based authentication due to specific security policies or other reasons, you can enable it in the sshd_config file using the following command:
nano /etc/ssh/sshd_config
Locate the line that says “#PasswordAuthentication yes” and remove the “#” symbol to uncomment the line. Save the changes, then restart SSH using the following command:
systemctl restart ssh.service
Permitting Root User Login
The root user is the most privileged user on a Linux system. Accessing the server as a root user via SSH is not advisable because any mistake or malicious activity can cause severe damage to the system.
By default, root login via SSH is disabled on most Linux distributions. However, you can enable it in the sshd_config file using the following command:
nano /etc/ssh/sshd_config
Locate the line that says “PermitRootLogin no” and change the “no” to “yes”.
Save the changes, then restart SSH using the following command:
systemctl restart ssh.service
Conclusion
Modifying the SSH configuration file is an essential step in enhancing the security of SSH sessions. By disabling password authentication and root user login, you can mitigate the risk of brute-force attacks and unauthorized access.
SSH key-based authentication is more secure than password-based authentication and is considered a best-practice for securing SSH sessions. By following the procedures outlined in this article, users can generate SSH keys using
ssh-keygen in Ubuntu, copy the public key to the server, and modify the SSH configuration files to enhance SSH security.
Logging In from the SSH Client
After generating a new SSH key pair and copying the public key to the server, it’s time to connect to the server and log in using SSH. Here are the steps to log in from the SSH client:
Adding Identity of Server Machine
The first step is to add the identity of the server machine to the list of known hosts on the client machine:
1. Open the terminal and run the following command, where server_ip_address is the IP address of the server:
ssh-keyscan server_ip_address >> ~/.ssh/known_hosts
2.
Enter the root password when prompted. This command will append the host key of the server to the known_hosts file.
The known_hosts file is used to store the public keys of known servers, which are used to verify the server’s identity during subsequent connections.
Connecting to the Server Machine from the Client
After adding the identity of the server machine, you can connect to it using the SSH command. Here are the steps to connect to the server machine from the client:
1.
Open the terminal and run the following command, where username is the username of the account you wish to log in with, and server_ip_address is the IP address of the server:
ssh username@server_ip_address
2. Enter the password for the user account when prompted.
This command will connect to the server machine using the SSH protocol. The username and IP address must be replaced with the correct values for your server.
If you are logging in as the root user, you can enter the root password when prompted. However, it is recommended that you use a non-root user account when logging in via SSH to minimize the risk of unauthorized access.
Once the SSH connection has been established, you can use the terminal on the client machine to execute commands on the server machine. You can also transfer files between the client and server machines using SCP (Secure Copy Protocol).
Conclusion
Logging in from the SSH client is a critical step in establishing a secure connection between the client and server machines. By adding the identity of the server machine to the list of known hosts on the client machine, users can verify the identity of the server during subsequent connections.
SSH key-based authentication is more secure than password-based authentication and is considered a best-practice for securing SSH sessions. By following the procedures outlined in this article, users can establish a secure SSH connection and execute commands on the server machine.
In summary, SSH is a widely used protocol for establishing secure communication channels between networked devices. SSH authentication is a critical component of SSH, as it is used to verify the identity of the connecting parties.
This article has explored the key concepts of SSH key pair generation, copying the public key to the server, modifying the SSH configuration files, and logging in from the SSH client. Implementing SSH key-based authentication and enhancing SSH security by disabling password-based authentication and root login can help to mitigate the risk of unauthorized access.
The takeaways are that implementing SSH key-based authentication provides users with greater security than password-based authentication, and configuring the SSH server can further enhance SSH security. By following the procedures outlined in this article, users can establish a secure SSH connection and secure their communication channels.