Step by Step to Securing your Linux: 1. Setup SSH keys

#1

1. Setup SSH keys.

1.1. Check for existing SSH keys on your local machine.

  • Open a terminal and run the following:
    $ cd ~/.ssh

  • Check to see if you have a key already:
    $ ls

  • If the local machine already has a pair of keys, you will see the message:
    /home/username/.ssh/id_rsa already exists. Overwrite (y/n)?

If you overwrite existing keys, you cannot use them for authentication.

1.2. Back up old SSH keys.

  • Do this in a terminal on your local machine by running:
    $ mkdir key_backup
    $ cp id_rsa* key_backup

1.3. Generate a new keys.

  • On local machine to generate the keys RSA, the default is 2048 bits.
    $ ssh-keygen
    or
    $ ssh-keygen -t rsa -b 4096 -f ~/file-name-rsa -C "name@e-mail.com"

read more information about ssh-keygen

  • You will see request:
    > Enter file in which to save the key (/your_home/.ssh/id_rsa):

  • Press enter to save the key pair to the .ssh / subdirectory in the home directory, or specify an alternative path. After that you will see:
    > Enter passphrase (empty for no passphrase):

  • You will see this conclusion:
    > Your identification has been saved in /home/username/.ssh/id_rsa.
    > Your public key has been saved in /home/username/.ssh/id_rsa.pub.
    > The key fingerprint is:

1.4. Copy public key to remote server.

1.4.1. Copy key using ssh-copy-id.
  • The command uses the following syntax:
    $ ssh-copy-id username@remote_host
    or
    $ ssh-copy-id -i ~/file-name-rsa username@remote_host

In order for it to work, you must have configured a simple password SSH authentication. Read more about ssh-copy-id

  • The ssh-copy-id can return:
    > The authenticity of host '111.111.11.111 (111.111.11.111)' can't be established.
    > ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
    > Are you sure you want to continue connecting (yes/no)? yes

This will happen when you first connect to the new host. Type yes and press Enter to continue.

  • Enter the password (your entry will not be displayed for security reasons) and press Enter.
    The ssh-copy-id will connect to the account on the remote host using the provided password. Then it copies the contents of the ~ / .ssh / id_rsa.pub key to the authorized_keys file in the ~ / .ssh home directory of the remote account.

see installed key;
$ nano ~/.ssh/authorized_keys

1.4.2. Copy key using ssh.
  • Use command cat
    ‘$ cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys’
1.4.3. Manually copying the public key (if you do not have password access).
  • Read your id_rsa.pub on local machine:
    $ cat ~/.ssh/id_rsa.pub

  • Connect to a remote host using any available method.

  • On the remote host, create the ~ / .ssh directory:
    $ mkdir -p ~/.ssh

  • Then you need to create the authorized_keys file and place the key from id_rsa.pub into it:
    $ echo key_from_id_rsa.pub >> ~/.ssh/authorized_keys

1.5. Disable password authentication.

Before performing this section, make sure that the root account or the user with sudo access on the remote server is configured with SSH key-based authentication.

run
$ sudo nano /etc/ssh/sshd_config

edit and save
$ PasswordAuthentication no

restart SSH service for Ubuntu/Debian:
$ sudo systemctl restart ssh
or for CentOS/Fedora
$ sudo service sshd restart

1.5. Connect to the server.

$ ssh username@remote_host
or
$ ssh -i ~/file-name-rsa username@remote_host

1.6. Edit sshd_config file.

$ nano /etc/ssh/sshd_config
> PasswordAuthentication no
> PubkeyAuthentication yes
> PermitRootLogin no
and
$ sudo service sshd restart

1.7. Permissions And Ownership.

  • ~./ssh permissions should be 700
    $ sudo chmod 700 ~./ssh

  • ~./ssh should be owned by your account
    $ sudo chown username ~./ssh

  • ~/.ssh/authorized_keys permissions should be 600
    $ sudo chmod 600 ~/.ssh/authorized_keys

  • ~/.ssh/authorized_keys should be owned by your account
    $ sudo chown username ~/.ssh/authorized_keys