We all know that passwords aren’t a good method of authentication. Complex passwords are hard to remember, simple passwords are next to worthless. And yet, most web developers who log in to production and development servers use SSH with a password.
The dangers are obvious: for even fairly long passwords, which most people don’t use, a brute force attack against an SSH server can prove effective. Passwords are bad at protecting the files that constitute your website, not to mention any sensitive data that might be stored in your databases.
Passwords aren’t the only way to handle server authentication on your virtual private server; they aren’t even the most convenient. Key-based authentication is a better option.
You’re probably familiar with the basics of how SSL / TLS encryption works. At its heart, it relies on a pair of keys: a public key and a private key. Key-based authentication uses the same basic cryptographic technology for authentication.
It works like this. You generate a cryptographically secure key pair, which includes a public key and a private key. The public key is uploaded to your server. You keep the private key on your local machine. When you connect via SSH to your server, the SSH server application will send a challenge message to your local SSH client. The server will encrypt the message with the public key you uploaded to the server. This message can only be decrypted with the matching private key. The SSH client will attempt to decrypt the message with the private key, and then send a hash of the message and some other information back to the server. The server has the same information and can generate the same hash. If the hashes match, the client is authenticated, because unless the client has the private key, and can read the challenge message, there’s no way that the hashes could match — it proves possession of the private key.
This can be quite difficult to understand even at a high level, but you shouldn’t worry too much about it. You don’t need to understand exactly how it works to use key pairs with SSH. If you are interested in knowing the details, they’re explained in more depth here.
Using Key-based Authentication
The first thing you’ll need to do is create a key pair on your local machine. I’m going to assume you’re on a Linux machine or a Mac with OpenSSH installed, or that you know how install and use OpenSSH on Windows.
To create a key pair, you run the command:
The tool will ask some questions. Generally, it’s safe to accept the defaults. It will also ask you for a passphrase to protect the key pair. You don’t have to use a passphrase; if you leave the response blank, you won’t have to enter a passphrase whenever you use the key pair — this is less secure, but it’s more convenient. You should decide for yourself whether you need a passphrase.
Now you have a key pair, you’ll need to copy the public key to your VPS. You can do this with FTP, but the best way is to use the “ssh-copy-id” utility.
You’ll be asked to enter your SSH password, and then the utility will take care of putting the public key in the right place.
Now, you can use SSH to log in to your server, and the SSH client will use the key pair you just created for authentication:
Of course, there’s not much point in using key-based authentication if you allow password logins over SSH too, so you should disable password authentication.
The details of how to disable password logins can differ depending on the Linux distribution on your server, but in general, you’ll need to add the following line to your “sshd_config” file:
On CentOs systems, you can find the “ssh_config” file in “/etc/ssh/sshd_config”.
Now you can log in to your server using a key pair that is significantly more secure than a password, and brute force attacks against your server will be fruitless.