As a sequel to my first blog post (Simple Ways to Secure the SSH Port on your VPS) I am adding a simple tutorial on how you can setup Certificate based SSH authentication.
The reason someone would implement this method is to avoid using plain-text passwords. This way, anyone who does not have the client-side certificate installed in their SSH client will not be able to login to the VPS.
There are 3 things that we will need to do in order to get this to work:
- Create a Public/Private SSH Key on the Client Computer
- Create the Public Key file on the VPS (Server)
- Disable password based authentication on the Server
I need to stress at this point, do not do step number 3 before you test a login with the SSH key method or you will potentially loose access to the server entirely and will need to open a ticket with your host!
Create an SSH Key Pair (Public/Private) on the client. Type the following commands (do not use root as the user):
$ cd ~/.ssh
$ ssh-keygen -t rsa -b 2048
You will be asked: “Enter file in which to save the key (/home/testuser/.ssh/id_rsa):” Press Enter.
You will then be asked: “Enter passphrase (empty for no passphrase):” Type in a passphrase that you will remember. You will need to enter it every time you ssh to your server from now on.
Note: If you do not enter a passphrase in this step, you will not be asked to enter it when you login to the server. This can be good or bad… It’s good because you can just ssh to the server and login automatically without typing a password. It’s bad because anyone who has a copy of this Private Key will be able to login to your server without a passphrase. So make sure you keep this file in a very safe place if you choose not to use a passphrase.
In your .ssh directory you will see the following 2 new files: ‘id_rsa’ & ‘id_rsa.pub’.
SSH to your VPS Server, and go to the .ssh directory in the home directory of the user you want to be able to access with the key. Ex: /home/user1/.ssh
Copy the contents of id_rsa.pub (That you generated in Step 1 on the Client Computer) And paste it in the “authorized_keys” file in your ~/.ssh directory on the Server. Ensure that everything is on one line.
Edit /etc/ssh/sshd_config (You need to be root to do this).
Find the following lines:
Remove the “#” symbols next to each of these three lines and save the file.
Close the session and login to your server again with the user you created the key for.
This time you should be asked for a passphrase (if you entered one in step 1). If you didn’t enter one in step 1 then it should just login and you should have a console $ under the user you created the key for.
Once you have confirmed that SSH Key Authentication is working, edit /etc/ssh/sshd_config and find the following line:
Change the ‘yes’ to ‘no’ and restart sshd.
You will now only be able to login with the user you created the Key for. From now on, whenever you want to SSH to the server you will need to make sure that there is a copy of the Private Key in the users Home Directory on the Client Machine.