Creating an SSH key is the safest way to access your server.

On your client machine, type:

ssh-keygen -t rsa-sha2-512 -b 4096 -C "[email protected]"

Or, for an elliptic curve alternative:

ssh-keygen -t ed25519 -C "[email protected]"

It will ask for a location; just hit “Enter”. If you want a passphrase, type and confirm it. The key is now created.

To change the passphrase of a private key:

ssh-keygen -p -f ~/.ssh/id_dsa

Or simply:

ssh-keygen -p

To manually extract the public key from the private key:

ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

The entire directory must be protected from being read by other users:

chmod 700 -R ~/.ssh

To transfer your key to the server:

ssh-copy-id [email protected]

Enter the password you normally use to log in to your server.

The public key can also be installed manually by appending id_rsa.pub to authorized_keys.

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

To check the algorithm of an existing key:

ssh-keygen -l -f ~/.ssh/id_rsa

Done! Now try connecting again.

ssh domain.com

If you did everything correctly, you are now logged in.

It is always a good idea to have a second account ready in case you make a mistake and lock yourself out. If that happens, log in with the second account, switch to your user or root, and delete the files inside the ~/.ssh/ folder.

As a good practice, protect your SSH configuration as much as possible. Edit the config file:

sudo nano /etc/ssh/sshd_config

Parameters you should pay attention to:

AllowUsers user
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no

Replace “user” with your own username. Then restart the SSH service:

sudo systemctl restart sshd.service

Consider adding an SSHFP (SSH Fingerprint) record to your DNS zone. It requires the following information:

  • Algorithm (integer)
    • 1: RSA
    • 2: DSA
    • 3: ECDSA
    • or other.
  • Hash Type (integer)
    • 1: SHA-1
    • 2: SHA-256
    • or other.
  • Fingerprint (text)
    • Hexadecimal representation of the hash result.

To obtain the hash and its parameters, run the following command against the public key with the domain or IP information:

ssh-keygen -r domain.com -f ~/.ssh/id_rsa.pub

The output may show a few lines, where the highlighted numbers represent the Algorithm (RSA) and Hash Type (SHA-1 and SHA-256) respectively, followed by the Fingerprint.

domain.com IN SSHFP 1 1 5fc287e33f114f495269480222934d2da805e634
domain.com IN SSHFP 1 2 c208d0046676861e11437931eba71c604c499ced7fd24bacd7838daa6842d633

For ECDSA, it would look like this:

domain.com IN SSHFP 4 1 e65c171139b05c47a44c869d2dffc4dfe255201e
domain.com IN SSHFP 4 2 3f9648811a18efcdf7976a04eea49af1edb433d0ec9ac28c19d0c29d059e9c70

BONUS

If you need to hop through a server that is the entry point of a network to reach an internal server, use the ProxyJump option:

ssh -J [email protected] [email protected]

Or create a configuration to automate this:

nano ~/.ssh/config

With the following configuration adjusted accordingly:

Host external
    HostName 200.200.200.200
    User user1
Host internal
    HostName 10.0.0.1
    User user2
    IdentityFile ~/.ssh/id_rsa
    ProxyJump external

Many other parameters can be set in this file:

Host serverA
    HostName 192.168.0.1
    User user3
    Port 2222
    Protocol 2
    IdentityFile ~/.ssh/serverA.key
    LogLevel INFO
    Compression yes
    ServerAliveInterval 60
    ServerAliveCountMax 30
    ForwardAgent no
    ForwardX11 no
    ForwardX11Trusted yes
    ProxyJump [email protected]:22,[email protected]:2222

Host * !192.168.0.1
    User ubuntu

To bypass any pre-configuration and pass only the command arguments directly:

ssh -F /dev/null user@host

Check out LazySSH [Link]. It reads the ~/.ssh/config file and presents a TUI for easy navigation between configured servers.


READ MORE

  • Discover new SSH functionalities in Reverse Shell with AutoSSH [Link].
  • Identify bad practices with SSH Audit Server and Client [Link].
  • Add defence in layers with Using Port Knocking to Secure SSH [Link].
  • Do not skip Hardening OpenSSH with 2FA [Link].