Categories
blogs

Ubuntu 18 : Enable ssh keys, disable ssh passwords

This is a two step howto, and this is how I do it. Do it in this order to avoid issues.

Before you begin, make sure you have read the other blog posts, where I explain how to add a super user to the system, and disable root from logging into the ssh service.

The next step is to first enable ssh keys for logging in to ssh. Then we are going to disable logging in with passwords.

On your client computer, create an ssh public key. There are enough tutorials online to do this. Here’s one: https://github.com/settings/keys

Once you have a local key, it’s time to copy the public id to the remote server.

Note: that if you have changed the default ssh port from 22 to something else, that you have to specify it.

The easiest way is to use ssh-copy-id, but you can also do this manually.

Note: I strongly recommend to have a user already logged in to the server with ssh that’s sudo up, so you can fix any issues when you potentially get yourself locked out.

ssh-copy-id -p 22555 floris@example.com

ssh-copy-id is either installed or not on your system, this is says program not found, you have to do it manually.

-p 22555 is the ssh port, 22555 in this example as it’s changed.

floris@example.com is the ssh’s username and host address to connect to.

Follow the on-screen instructions, if it asks for a password it’s the password of the user on the remote host you’re trying to login with. If it asks for the keyphrase, then it is probably the ssh keyphrase you’re set for the public key to authenticate.

When done, do not log out yet of the earlier logged in ssh session. Instead, open a new terminal window or tab, and ssh back in with something like ssh floris@example.com -p 22555

It should log you in automatically, or if your ssh key has a keyphrase, it will ask for this. It will no longer ask you for the password.

If this was successful, it’s time for step 2, to disable users from logging in with a password (prevent brute force attacks).

sudo nano /etc/ssh/sshd_config

Find:

#PasswordAuthentication yes

Note how there’s sometimes a # character in front of the line? Remove this # character so it’s no longer commented out.

Change it to:

PasswordAuthentication no

And save your changes.

Now restart the ssh daemon service.

service ssh restart

And try it all again. It should work.

Mega oops! You’ve logged yourself out? If that happened, something went wrong. Most hosting providers have a control panel, with a serial console. Login there with your root account and fix your changes.

If all went well, you can ssh into the server without having to login (or login with a keyphrase if set), but loggin in to the server with the password should no longer work. If you’ve followed the other blog entries, you shouldn’t be able to login with root at all anymore at this point.

 

By MrFloris

This blog is for people who know me, so nothing to tell. For those who don't know me yet, .. read my blog ;)