Using SSH keys to login to servers and computers is a great way to add a layer of security as well as remove the hassle of typing your password. In this article I will show you how you can create your unique and password-proteced SSH key so you can login to your server without ever needing to enter passwords. Also, this means you can disable password login on your server and that will stop hackers from trying to brute-force their way into your server.
Let’s get cracking…
Alright, if you don’t have a
.ssh directory created, make it and make sure you give access to only yourself.
mkdir -p ~/.ssh chmod 700 ~/.ssh cd ~/.ssh
Next thing is to create a RSA key. To do this, use the
ssh-keygen -t rsa
- It will ask you to enter a file to save the key into, just press enter.
- For the next part, you can create a passphrase as an added layer of protection. I’d highly recommend you do this as if someone grabs your key, they’ll need a password to use it as well. Depending on the OS you’re using (Linux, Windows, macOS) and the SSH client, the behaviour will be different.
Once done, you want to use the
ssh-copy-id command to copy the public part of your SSH key to the remote server you want to connect to. Here’s an example
ssh-copy-id -i ~/.ssh/id_rsa.pub email@example.com
userwith the username you use to connect to the server.
server.comwith your server address
- If you use a specific port number, make sure to append
-p <port_num>to the end.
- You’ll be prompted to enter your remote server password, enter it.
That’s it! You can now connect to your server without entering passwords, all you need is a username, hostname and maybe port number. If you want to simplify things further, you can create a SSH profile and all you have to type is
ssh myserver to connect.
Some things to consider
- Once you have a successful connection estabilished, you should backup your private and public keys. You don’t want to lose them when distro hopping 😉
- Try using a different port number than 22 on your remote servers. Especially if you have a website, pick a random 4-5 digit port number.
- If you can be bothered, disable root-login and only login with another user which has superuser access. This is the desired behaviour and adds another layer of protection as the root account cannot be used for loggin into the server.