Get updates via: rss | twitter | email

ssh public key only login - authentication

Written by
Date: 2010-10-10 11:36:30 00:00

Open SSH private/public authentication

OpenSSH key public key authentication, let users log into server without the need to use their user’s passwords.

It is possible to disable any other form of login into server, and let available only authentication based on ssh public key.

What is achieved, using this method is to avoid password break by brute force attacks.

For this method to work, three steps should be taken.

  1. Create a pair public / private key ssh
  2. Disable root login in the server
  3. Disable password login for any other user in the server

Create a pair of public / private key ssh

We will create our ssh key, and copy it to the server, so we can then log into it without need to enter the user password. To create your public and private SSH keys on the command-line, do this on the computer you want to log into the server from: mkdir ~/.ssh

chmod 700 ~/.ssh

ssh-keygen -t rsa

The operating system will ask you for a place to store the keys, and a pass-phrase, let the first with the default option, and use a good pass-phrase for the second, as a way to increase security. The output should look something like this:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/b/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/b/.ssh/id_rsa.
Your public key has been saved in /home/b/.ssh/id_rsa.pub.

Copy your key to the server

ssh-copy-id [username]@[host]

Now you should be able to log into that server, without the use of your user password, you will be asked for the pass-phrase if you have set one.

Disable root login

Edit the file /etc/ssh/sshd_config

vi /etc/ssh/sshd_config

(you can use your favorite text editor)

I strongly recommend you to open two sessions if doing this from a remote connection, and never close one of them. Do this in case you need to roll back the configuration, this way you will not lock you out by mistake.

locate this line with, writing this once editing with vi or vim

:/Protocol

if it says

Protocol 2, 1

change it to:

Protocol 2

This will enable only ssh2 which is more secure that ssh, do not do this if you need to log with a client that only support ssh, and not ssh2 protocol. Next locate this line "PermitRootLogin yes" by entering this on your vi or vim editor

:/PermitRootLogin yes

and change it to this:

PermitRootLogin no

and save the file, with this:

:wq

Disable password login for any other user in the server

Now, we need to lock the password of all other users in the server, except root, but remember that log in via root account using ssh is not permitted in the server, that way the only possible way to log into the server will be via, the public/private ssh key. To lock the password of the rest of users, use this command.

sudo passwd -l [user]

For every user, you have on that server that is allowed to log into it, it means, it has a shell. Alternate Method (Updated:10.11.10) As suggested by, Stephen, if you need local authentication, the above method of locking the users account is not possible, this is a better way: Edit the file /etc/ssh/sshd_config and be sure this line is there:

PasswordAuthentication no

The default is yes. then restart ssh, and you are done.

You will need to repeat step 1, with all users, you want to have access to the server, before, locking their passwords, or share the keys using a thumb key memory or any other way.

Be sure to have physical access to the server, before locking yourself out, or test your keys, before doing it, failing to do so, may lock you completely out of the server, you have been warned

Note 2: If you are using some account as an admin account with sudo access, to the system, be sure to disable the password challenge, for that user using visudo, or you will not be able to use sudo again