It’s an excellent idea to sign in to your SSH server without a password. Seriously, get rid of it. There’s no need to use a password on one of the most attacked services on Linux servers, right? Securing an SSH server using standard password-based authentication is a bad idea. Attackers can easily brute force passwords, and when they’re the only thing standing between a bad actor and your server, you should definitely be nervous.
Content
- Install the Packages
- Generate Your SSH Key in Linux
- Sending Your Key to the Remote Linux Host
- Testing Your SSH Connection in Linux
- Configuring SSH to Block Passwords
- Frequently Asked Questions
That’s why RSA key-based authentication is much better. You can configure and secure your Linux server to only allow access from computers that hold the RSA keys that have already been accepted. Anyone else will be rejected immediately. As an added benefit, you can create those keys with or without a password, which is entirely up to you. A strong key without a password is fine in most cases, though.
If you use Linux devices at home, too, you have the added benefit of convenience. Say you want to set up SSH X-forwarding from your Linux workstation to your laptop. Do you really want to enter your password every time you run a remote program? Set up SSH keys, and you won’t need to.
Install the Packages
There are a couple of packages that you need. You probably already have some of them, but it’s a good idea to check. The packages are the same on both the server and client. However, there’s also a good chance that both machines are servers and clients to each other (home situation), so you may want to make sure that you have installed these packages.
The OpenSSH metapackage is not installed by default on either Debian or Ubuntu systems. If you don’t already have it installed, you can do so by running the following command:
sudo apt install ssh
Generate Your SSH Key in Linux
It’s really easy to generate your SSH key in Linux. Just tell OpenSSH that you need to generate the key. It’s also a good idea to specify the amount of bits with the -b
flag and the type with -t
. A 4096 bit key is best, as it provides stronger encryption.
ssh-keygen -t ed25519
First, the utility will ask where you want to store the key. Just hit Enter for the default directory. When it asks for a password, leave it blank for a passwordless key and passwordless authentication. If you do want to use a password for your key, enter it here.
Your computer will take a couple of seconds to generate your key. When it’s over, it will print out an ASCII art representation of your key on the terminal.
Sending Your Key to the Remote Linux Host
To use your key, you’ll need to send it to your remote server. OpenSSH has another built-in utility for that, too. Tell it where your key is and which user on the server to associate it with.
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@ip_remote_host
Replace ip_remote_host
with the actual IP address of the remote host, which you will manage via SSH. Replace username
with the actual username on the remote host.
It’s crucial that you use the -i
option to specify the identity file that contains your public key. If you try to use your SSH key without this option, you may get an error.
Testing Your SSH Connection in Linux
With your SSH key in the remote server, you can now test whether your connection properly works.
Log in with the following command:
ssh username@ip_remote_host
The remote host will log you in without asking for the user account password.
However, if you made a mistake during the process, the SSH daemon will automatically fall back to password authentication for your user account. This allows you to still access your remote server even if you have a non-functioning RSA key.
Configuring SSH to Block Passwords
For the best security, you need to disable SSH password logins on your Linux server. Similar to enabling two-factor authentication in SSH, this prevents anyone from brute-forcing their way into your server.
It is important to make sure that you can reliably log in with your SSH key before doing this, as it is possible to lock yourself out of your remote server if you have a malfunctioning key.
You can find the configuration file for your SSH daemon in “/etc/ssh/sshd_config.” Open the file on the server using sudo and your preferred text editor. For example, open this file using nano by running the following command:
sudo nano /etc/ssh/sshd_config
Find the lines below by pressing Ctrl + W and edit them to look like the example. Uncomment both entries and change the values to no
.
PasswordAuthentication no PermitEmptyPasswords no
PasswordAuthentication
specifies whether to use password authentication. We set this to “no” because we want to use SSH keys only.
PermitEmptyPasswords
specifies whether the server allows login with an empty password. You should never allow this, so we set it to “no.”
Next, find the “UsePAM” line and change it to “no.” This will prevent the daemon from using any authentication methods (password, Kerberos, etc.) other than SSH keys.
UsePAM no
Save the file by pressing Ctrl + O, then Ctrl + X and reload the SSH server.
sudo systemctl restart ssh
Now that you have successfully configured your server to use only SSH keys for authentication, anyone trying to log in without a valid RSA key will be immediately denied.
Frequently Asked Questions
I am getting a “Connection refused” when I send my SSH key to my Linux server. How do I fix this?
Make sure that the SSH server is running on the remote host. You can check this by running sudo systemctl status ssh
. If the service is not running, you can start it with this command: sudo systemctl start ssh
.
If a firewall is running on the server, make sure that port 22 is open. You can do this by running sudo ufw status
. If SSH isn’t listed, you can enable it by running this command: sudo ufw allow ssh
.
I get a “Permission denied (publickey)” error when I try to log in. What should I do?
This error means that you have configured your server to use keys for authentication, but you’re still trying to log in with a password. This can either be due to a missing RSA key or an incorrect SSH setting. Check that you’ve copied your public key to the server correctly and that you’re specifying the correct public key when you connect.
I get a “Host key verification failed” error when I try to connect. How do I fix this?
This error means that the SSH server’s host key has changed. It can happen if the server has been reinstalled. You can regenerate a new public key and copy it over to the remote host. Repeat the steps in this article to regenerate and add the new key to the server.
Is it possible to use multiple SSH keys on the same remote Linux server?
Yes. You can use the -f
option in OpenSSH to specify the exact key you want to use to connect to a remote server. For example, running ssh -f ~/.ssh/id_rsa_2 username@remote_ip_address
will connect you to your remote server using the “id_rsa_2” key instead of the default “id_rsa.”
However, it is important to note that this command will only work if your remote server already recognizes your new key. You need to first copy it to your remote server using ssh-copy-id
. Similar to the steps above, you can do this either through password or RSA key authentication.
I am getting a “Permission Denied” error whenever I try to copy my SSH key to my server.
This issue is most likely due to a permissions problem in your remote server. In most cases, the ssh-copy-id
utility should properly resolve any access issues as soon as it connects to your remote server. However, there are instances where this feature breaks and fails to properly copy your local machine’s “id_rsa.”
To fix this, log in to your remote server and run chmod 700 /home/$USER/.ssh/* && chmod 600 /home/$USER/.ssh
. This will set the correct permission bits for both the “.ssh” folder and its contents.
Image credit: Unsplash. All alterations and screenshots by Ramces Red.
Ramces Red –
Staff Writer
Ramces is a technology writer that lived with computers all his life. A prolific reader and a student of Anthropology, he is an eccentric character that writes articles about Linux and anything *nix.
Subscribe to our newsletter!
Our latest tutorials delivered straight to your inbox
Sign up for all newsletters.
By signing up, you agree to our Privacy Policy and European users agree to the data transfer policy. We will not share your data and you can unsubscribe at any time. Subscribe