How to improve security and your comfort when logging in remotely to a linux machine?
Use private/public key pair with ssh-based services!
What is public key authentication and why use it?
It is a (mostly - you can secure your private key with a password) passwordless method of authentication:
The motivation for using public key authentication over simple passwords is security. Public key authentication provides cryptographic strength that even extremely long passwords can not offer. With SSH, public key authentication improves security considerably as it frees the users from remembering complicated passwords (or worse yet, writing them down).
In addition to security public key authentication also offers usability benefits - it allows users to implement single sign-on across the SSH servers they connect to. Public key authentication also allows automated, passwordless login that is a key enabler for the countless secure automation processes that execute within enterprise networks globally.
https://www.ssh.com/academy/ssh/public-key-authentication
As stated before, this method of authentication revolves around a pair of keys - public and private; the private one should be properly secured and not distributed anywhere - it is only for your use; the public part on the other hand can be shared and uploaded to remote hosts for easy and secure authentication.
Besides authenticating yourself at another host, you can use such keys to authenticate at GitHub, GitLab, and many other services!
Generating and using keys on linux
Using ssh-keygen
To generate a key pair use following command:
ssh-keygen -t ed25519 -C "<comment>"
Note: on some (usually older) systems that don't support ed25519, you should use RSA:
ssh-keygen -t rsa -b 4096 -C "<comment>"
The comment which is added to the key is usually either your email or identification of the purpose of the key (for example the name of a host that will use the private key - to easily see on remote servers which public key belongs to which host).
ssh-keygen will ask for a password to protect the private key (to skip this step confirm without typing the password), and where to save key files (when using non-standard key filenames/paths additional ssh client configuration will be required) - said location can be also passed using -f <path & filename>
parameter
Using private keys with custom names
If you left the default key filenames, ssh client will try them by default, if you created a custom name (for example - you have several key pairs) you need to specify the keyfile to be used - you can either pass it as a parameter to ssh command:
ssh -i ~/.ssh/mykey user@host
or you can add it to your ssh configuration at ~/.ssh/config (this can be configured either globally, or for a certain Host
):
IdentityFile ~/.ssh/mykey
Setting up public key on a remote host
The public key should be appended to the ~/.ssh/authorized_keys
of the remote host's user that will be used. If you need to create .ssh
directory and authorized_keys
file, ensure they have proper permissions (0700 for .ssh
and 0644 for authorized_keys
).
Using the keys
That's it! You can use all the services that are based on ssh protocol (ssh, sftp, scp, and others).
Generating and using keys on Windows
Using PuTTYgen
To generate keys that can be used with Windows programs (such as PuTTY/Pageant or WinSCP), you can use PuTTYgen, which is a part of PuTTY CAC.
In the PuTTYgen dialog you can select the algorithm - the suggested one is Ed25519, although you may need to use RSA (and specify 4096-bit key size) if remote system supports only older ciphers.
After clicking "Generate" you'll need to create some random seed by moving your cursor within the dialog box; afterwards you can add a comment (usually your email or name of the host that'll hold the private key) and a password to protect the private key. Finally, you can save the files (one for each key) in a desired location (in this case the filename doesn't matter that much).
Setting up public key on a remote host
Before following the aforementioned instructions, you need to adjust the form of the public key; PuTTYgen creates something like this:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "sample-ed25519-key"
AAAAC3NzaC1lZDI1NTE5AAAAIL1fL7MfhYHEnPefKW1OcbJYJFLFdhWjUut9cQM1
VSlW
---- END SSH2 PUBLIC KEY ----
You need to change it to <cipher> <key> <comment>
, like this:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1fL7MfhYHEnPefKW1OcbJYJFLFdhWjUut9cQM1VSlW sample-ed25519-key
After these edits, you can add the key to authorized_hosts
, or pass it to someone else.
Using the keys
PuTTY
When creating a new connection (or editing an existing one), you can navigate to Connection > SSH > Auth
, and in Authentication parameters
field group, you can set the path to your private key file, that should be used for authentication (remember to save the connection settings in the Session
category!).
WinSCP
When editing advanced settings of the connection, you can navigate to SSH > Authentication
, and set the path to your private key file.