First, create a public/private key pair on the client that you will use to connect to the server (you will need to do this from each client machine from which you connect):
$ ssh-keygen -t rsa
This will create two files in your ~/.ssh directory
id_rsa: your private key
id_rsa.pub: is your public key.
If you don't want to still be asked for a password each time you connect,
just press enter when asked for a password when creating the key pair.
It is up to you to decide whether or not you should password encrypt
your key when you create it. If you don't password encrypt your key,
then anyone gaining access to your local machine will automatically
have ssh access to the remote server. Also, root on the local machine
has access to your keys although one assumes that if you can't trust
root (or root is compromised) then you're in real trouble. Encrypting
the key adds additional security at the expense of eliminating the need
for entering a password for the ssh server only to be replaced with
entering a password for the use of the key. Now set permissions on your private key:
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/id_rsa
Copy the public key (id_rsa.pub) to the server and install it to the authorized_keys list:
$ cat id_rsa.pub >> ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys
Once you've checked you can successfully login to the server using your public/private key pair,
you can disable password authentication completely by adding the following setting to your
/etc/ssh/sshd_config
# Disable password authentication forcing use of keys
PasswordAuthentication no
Posts
No comments:
Post a Comment