Introduction to SSH
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. The best known example application is for remote login to computer systems by users. (wikipedia)
SSH known as secure shell is an encrypted protocol that is used to administer and communicate with remote servers aound the globe. There are various ways to access remote server, but for now we will get login access to our server via SSH.
SSH is a tool for secure system administration, file transfers, and other communication across the Internet or other untrusted network. It encrypts identities, passwords, and transmitted data so that they cannot be eavesdropped and stolen.
SSH key comes with private and public keys which together allows a client to access the server. Any usual password can be easily cracked with brute force attack but SSH keys are nearly impossible to be cracked by brute force because its more secure than any other key. SSH keys are encrypted with passphrase that increase the level of encryption. Without passphrase no body can gain access to the server.
Accessing the remote server with SSH is way more easy. Public keys should be placed on the server in .ssh directory so that client can access the server that already has the private key placed in his .ssh directory.
When the two match up, the system unlocks without the need for a password. You can increase security even more by protecting the private key with a passphrase.
The diagram shows a laptop connecting to a server via SSH.
How to generate SSH keys?
SSH keys can be easily generated with a utility called ssh-keygen (It can be used with arguments or without). In this scenario ssh-keygen will create SSH-keys, -t is type and rsa is the encryption algorithm, -b shows the bit size.
The keys will be saved in the root directory of .ssh with name as id_rsa (private key) and id_rsa.pub (public key). If the keys already exist, it will overwrite the previous keys.
Choosing an Algorithm and Key Size
There are various kinds of encryption algorithms.
rsaIts an old algorithm with a large key size of at least 2048 bits and 4096 bits (better) and is highly recommended for secure connection. All SSH clients use this algorithm.
dsaDigital Signature Algorithm is a US old security algorithm – not recommended. A key size of 1024 would normally be used with it.
ecdsaA new Digital Signature Algorithm standarized by the US government, using elliptic curves. This is probably a good algorithm for current applications. Only three key sizes are supported: 256, 384, and 521 bits. Using it with 521 bits is recommended. Most SSH clients support this algorithm.
ed25519This is a new algorithm added in OpenSSH. Support for it in clients is not yet universal. Thus its use in general purpose applications may not yet be advisable.
Copying the Public Key to the Server
ssh-copy-id -i ~/.ssh/id_rsa.pub user@host
Once the public key has been configured on the server, the server will allow any connecting user that has the private key to log in. During the login process, as described above SSH tunnel verifies the possession of private key with the client that wants to connect.
Now you can go ahead and log into user@host.
Disable the Password for Root Login (optional)
Once you have copied your SSH keys to your server and ensured that you can log in with the SSH keys alone, you can go ahead and restrict the root login to only be permitted via SSH keys.
In order to do this, open up the SSH config file:
sudo nano /etc/ssh/sshd_config
Within that file, find the line that includes
PermitRootLogin and modify it to ensure that users can only connect with their SSH key:
Open the new terminal and put the following changes.
Following are the reasons why SSH authentication fails:
- The server might not be configured to accept public key authentication. Make sure /etc/ssh/sshd_config on the server contains
PubkeyAuthentication yesRemember to restart the sshd process on the server.
- If trying to login as root, the server might not be configured to allow root logins. Make sure
PermitRootLogin,prohibit-passwordIf it is set to
forced-commands-onlythe key must be manually configured to use a forced command see
- Make sure the client allows public key authentication. Check that /etc/ssh/config includes
- Try adding
-voption to the
sshcommand used for the test. Read the output to see what it says about whether the key is tried and what authentication methods the server is willing to accept.
- OpenSSH only allows a maximum of five keys to be tried authomatically. If you have more keys, you must specify which key to use using the
sshFor more articles please view my blog.