Creating an SSH key is the safest way to access your server.
On your client machine, type:
ssh-keygen -t rsa-sha2-512 -b 4096 -C "[email protected]"
Or, for an elliptic curve alternative:
ssh-keygen -t ed25519 -C "[email protected]"
It will ask for a location; just hit “Enter”. If you want a passphrase, type and confirm it. The key is now created.
To change the passphrase of a private key:
ssh-keygen -p -f ~/.ssh/id_dsa
Or simply:
ssh-keygen -p
To manually extract the public key from the private key:
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
The entire directory must be protected from being read by other users:
chmod 700 -R ~/.ssh
To transfer your key to the server:
ssh-copy-id [email protected]
Enter the password you normally use to log in to your server.
The public key can also be installed manually by appending id_rsa.pub to authorized_keys.
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
To check the algorithm of an existing key:
ssh-keygen -l -f ~/.ssh/id_rsa
Done! Now try connecting again.
ssh domain.com
If you did everything correctly, you are now logged in.
It is always a good idea to have a second account ready in case you make a mistake and lock yourself out. If that happens, log in with the second account, switch to your user or root, and delete the files inside the ~/.ssh/ folder.
As a good practice, protect your SSH configuration as much as possible. Edit the config file:
sudo nano /etc/ssh/sshd_config
Parameters you should pay attention to:
AllowUsers user PermitRootLogin no PubkeyAuthentication yes PasswordAuthentication no PermitEmptyPasswords no
Replace “user” with your own username. Then restart the SSH service:
sudo systemctl restart sshd.service
Consider adding an SSHFP (SSH Fingerprint) record to your DNS zone. It requires the following information:
- Algorithm (integer)
- 1: RSA
- 2: DSA
- 3: ECDSA
- or other.
- Hash Type (integer)
- 1: SHA-1
- 2: SHA-256
- or other.
- Fingerprint (text)
- Hexadecimal representation of the hash result.
To obtain the hash and its parameters, run the following command against the public key with the domain or IP information:
ssh-keygen -r domain.com -f ~/.ssh/id_rsa.pub
The output may show a few lines, where the highlighted numbers represent the Algorithm (RSA) and Hash Type (SHA-1 and SHA-256) respectively, followed by the Fingerprint.
domain.com IN SSHFP 1 1 5fc287e33f114f495269480222934d2da805e634 domain.com IN SSHFP 1 2 c208d0046676861e11437931eba71c604c499ced7fd24bacd7838daa6842d633
For ECDSA, it would look like this:
domain.com IN SSHFP 4 1 e65c171139b05c47a44c869d2dffc4dfe255201e domain.com IN SSHFP 4 2 3f9648811a18efcdf7976a04eea49af1edb433d0ec9ac28c19d0c29d059e9c70
BONUS
If you need to hop through a server that is the entry point of a network to reach an internal server, use the ProxyJump option:
ssh -J [email protected] [email protected]
Or create a configuration to automate this:
nano ~/.ssh/config
With the following configuration adjusted accordingly:
Host external
HostName 200.200.200.200
User user1
Host internal
HostName 10.0.0.1
User user2
IdentityFile ~/.ssh/id_rsa
ProxyJump external
Many other parameters can be set in this file:
Host serverA
HostName 192.168.0.1
User user3
Port 2222
Protocol 2
IdentityFile ~/.ssh/serverA.key
LogLevel INFO
Compression yes
ServerAliveInterval 60
ServerAliveCountMax 30
ForwardAgent no
ForwardX11 no
ForwardX11Trusted yes
ProxyJump [email protected]:22,[email protected]:2222
Host * !192.168.0.1
User ubuntu
To bypass any pre-configuration and pass only the command arguments directly:
ssh -F /dev/null user@host
Check out LazySSH [Link]. It reads the ~/.ssh/config file and presents a TUI for easy navigation between configured servers.
READ MORE