How to configure an Ubuntu Linux server to allow SSH sessions only with a key and disable password-based

Diego Carrasco G. — Thu, 16 Nov 2023 09:12:35 GMT

Context

I have a server running Ubuntu 22.04 LTS which I use for some personal projects and I wanted to make it more secure by only allowing SSH sessions with a key and disabling password-based authentication.

What is an SSH key and why is it more secure?

SSH keys are a pair of cryptographic keys which are used to authenticate to an SSH server. When you generate the key, 2 files are created. There is a private key (kept in the client) and a public key .pub (added to the server). The private key is used to encrypt the data and the public key is used to decrypt it.

Steps to configure the server

1. Create an SSH Key Pair (if you don't have one)

On your local machine, run the following command to generate a new SSH key pair. (You can use the default values)

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Notes:

The email is used as a label for the key. You can use any email you want.
If you want additional security, add a passphrase to the key. (You will need to enter the passphrase each time you use the key). -- There are different views on whether this is a good idea or not. I think it is a good idea, but it is up to you. -- You can skip this step by pressing enter twice.
The default key name is id_rsa. You can use a different name if you want.
The default location is ~/.ssh. You can use a different location if you want.
The default permissions are 600 for the private key. (I have a quick-note about permissions at (Quick-note) SSH Keys Permissions

2. Copy the public key to the server

ssh-copy-id <username>@<server_ip>

If you have more than one key (identity), you can specify the key to use with the -i flag. (The default is ~/. ssh/id_rsa.pub)

Alternative:

You can also add the public key to the server manually. (This is useful if you don't have ssh-copy-id installed)

cat ~/.ssh/id_rsa.pub | ssh <username>@<server_ip> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

or just copy the contents of the public key .pub and paste it in the ~/.ssh/authorized_keys file on the server.

ssh-copy-id -i ~/.ssh/id_rsa.pub <username>@<server_ip>

3. Test the configuration

Check if you can access the server with the key. If you are using the default key, you don't need to specify it.

ssh <username>@<server_ip>

If you are using a different key, you need to specify it with the -i flag.

ssh -i ~/.ssh/<key_name> <username>@<server_ip>

If you can access the server, you can continue with the next steps. If not, check the logs in /var/log/auth.log to find out what is wrong. (You can use tail -f /var/log/auth.log to see the logs in real time)

4. Configure the server to only allow SSH sessions with a key and disable password-based authentication

Edit the /etc/ssh/sshd_config file:

sudo nano /etc/ssh/sshd_config

And add or edit the following line:

PasswordAuthentication no

5. Restart the SSH service

sudo systemctl restart ssh

or, if you are using an older version of Ubuntu

sudo service ssh restart

You have now configured your server to allow ssh sessions only with a key 😁

Diego A. Carrasco Gubernatis | Personal Website (Posts about ssh)