How to configure an Ubuntu Linux server to allow SSH sessions only with a key and disable password-based
Context
I have a server running Ubuntu 22.04 LTS which I use for some personal projects and I wanted to make it more secure by only allowing SSH sessions with a key and disabling password-based authentication.
What is an SSH key and why is it more secure?
SSH keys are a pair of cryptographic keys which are used to authenticate to an SSH server. When you generate the
key, 2 files are created. There is a private key (kept in the client) and a public key .pub
(added to the server).
The private key is used to encrypt the data and the public key is used to decrypt it.
Steps to configure the server
1. Create an SSH Key Pair (if you don't have one)
On your local machine, run the following command to generate a new SSH key pair. (You can use the default values)
ssh-keygen -t rsa -b 4096 -C "[email protected]"
Notes:
- The email is used as a label for the key. You can use any email you want.
- If you want additional security, add a passphrase to the key. (You will need to enter the passphrase each time you use the key). -- There are different views on whether this is a good idea or not. I think it is a good idea, but it is up to you. -- You can skip this step by pressing enter twice.
- The default key name is
id_rsa
. You can use a different name if you want. - The default location is
~/.ssh
. You can use a different location if you want. - The default permissions are
600
for the private key. (I have a quick-note about permissions at (Quick-note) SSH Keys Permissions
2. Copy the public key to the server
ssh-copy-id <username>@<server_ip>
If you have more than one key (identity), you can specify the key to use with the -i
flag. (The default is ~/.
ssh/id_rsa.pub
)
Alternative:
You can also add the public key to the server manually. (This is useful if you don't have ssh-copy-id
installed)
cat ~/.ssh/id_rsa.pub | ssh <username>@<server_ip> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
or just copy the contents of the public key .pub
and paste it in the ~/.ssh/authorized_keys
file on the server.
ssh-copy-id -i ~/.ssh/id_rsa.pub <username>@<server_ip>
3. Test the configuration
Check if you can access the server with the key. If you are using the default key, you don't need to specify it.
ssh <username>@<server_ip>
If you are using a different key, you need to specify it with the -i
flag.
ssh -i ~/.ssh/<key_name> <username>@<server_ip>
If you can access the server, you can continue with the next steps. If not, check the logs in /var/log/auth.log
to
find out what is wrong. (You can use tail -f /var/log/auth.log
to see the logs in real time)
4. Configure the server to only allow SSH sessions with a key and disable password-based authentication
Edit the /etc/ssh/sshd_config
file:
sudo nano /etc/ssh/sshd_config
And add or edit the following line:
PasswordAuthentication no
5. Restart the SSH service
sudo systemctl restart ssh
or, if you are using an older version of Ubuntu
sudo service ssh restart
You have now configured your server to allow ssh sessions only with a key 😁
Comments
Comments powered by Disqus