SSH and public key for authentication
(Good coffee made me write about...)
SSH is one of the most attacked services because by breaking in, you can tunnel your connection and attack someone else, and hide your identity under the attacked IP-address(is bad)... or to send spam... or to store illegal material... you name it. So is the first service to protect!
1. ON YOUR COMPUTER GENERATE A SET OF KEY.
They are going to be saved in the directory ~/.ssh (your home folder on invisible folder .ssh/
Backup everything on that folder when you are done. You may need it!
So, generate your key with any ONE of those lines: (use the one you like the most)
* ssh-keygen -t ecdsa -b 521 // ecdsa= Elliptic Curve Digital Signature Algorithm //
* ssh-keygen -t rsa -b 4096 //rsa = Rivest–Shamir–Adleman be sure to use 4096 //
### enter a strong passphrase, in case the private key is compromised, that is your last line of defense
2. COPY YOUR KEY TO THE REMOTE SERVER.
only your public key is going to be copied. Again: protect your private key!
* ssh-copy-id -i ~/.ssh/your-key-ecdsa user@host //your dont need to write file.pub, ssh know which one to copy//
See that it goes to the home folder of the user and you can name it
3. TEST THE KEY BEFORE DISABLING LOGIN TO YOUR USERNAME
* ssh -i ~/.ssh/mykey user@host
Your passphrase is going to be asked first time
Now you should be able to login without a password
* ssh YourUser@yourdomain.com or ssh YourName@youripaddress
4. EDIT YOUR SSH CONFIG FILE
on /etc/ssh/sshd_config make the following changes
find or add line if doesnt exist
PasswordAuthentication no // No password is valid, only the keys
PermitRootLogin no //no root login accepted
AllowUsers MySelf //and worst... only MySelf is authorized to ssh this machine
Hope your server ssh service is secured by now!
Tip: before create a new set of keys, be sure there is nothing on your .ssh directory!!!!!!!!!!
5. Restart your sshd
sudo systemctl restart sshd
I know it may have typos... or mistakes.
This is AT LEAST to be done.. because there can be done a lot more: permite only your IP, Use ISP firewall and use iptables on your side... catch the bad guys with fail2ban... and more. But that, my dear, is another story.
If you have any question or suggestion, feel free to speak!