I recently posted about disabling the root user on Ubuntu. A seemingly obvious next step might be to avoid having to use passwords altogether. I use SSH keys to monitor my servers. Non-Exhaustive benefits (assuming that you keep your keys safe):
- SSH keys are a lot less likely to be brute forced than a password.
- Password authentication can be disabled if appropriate.
- Easier to setup scripts that connect to other servers E.g. rsync backup without supplying authentication credentials.
- Allow multiple people to share access to a system user without sharing the password.
- Remove access for an individual without altering the system configuration.
Generating a Key
Note: If you already have a key pair that you wish to use, skip to Configure a Remote User. You might have created a key already that you wish to retain, perhaps for a code repository or other service using SSH.
The key I refer to in the title is actually a key pair; public and private components. The key pair will be generated on the client; probably the computer you’re using (*nix based systems). I used my iMac for this post.
Trevs-iMac:~ trevor$ ssh-keygen -t rsa
You will likely be prompted for a file location to save your key pair. The default will likely be offered to you as the path .ssh/id_rsa within your home directory.
Generating public/private rsa key pair. Enter file in which to save the key (/Users/trevor/.ssh/id_rsa):
Upon entering your own file name or accepting the default (enter without input), you will be given the opportunity to enter a passphrase.
Enter passphrase (empty for no passphrase):
A passphrase is optional; there are benefits to having one. Chiefly, if the key is compromised and in the hands of another it will be ineffective until the passphrase is also known. However, it does mean that you will need to type it when invoking the key for authentication; making unattended use less convenient.
Regardless of your decision concerning passphrase, your files will be located in the path you supplied; with the public component having the same name with a .pub extension.
You now have a key pair to use for authentication on a remote system.
Configure a Remote User
Using the key pair for the purposes of authentication is a straightforward exercise. You should keep your private key, private. The public key (contained in the file created with the .pub extension) is all that is required for the remote system.
If you are using a Linux based OS (OS X El Capitan does not have this command for some reason) you will likely have a terminal command that will achieve the results in one hit:
ssh-copy-id trevor@host.domain.co.uk
Where trevor is to be replaced with the user on the remote system.
Alternatively, log into the remote system and append the contents of your public key file into ~/.ssh/authorized_keys.
You can store as many public keys in this file as you wish, simply append them to the file.
Test the Configuration
You should now be able to test the connection from your client terminal. Simply enter (replacing trevor with your username):
Trevs-iMac:~ trevor$ ssh trevor@host.domain.co.uk
If you opted to use a passphrase, you will be prompted to enter it. You should be able to establish a secure connection to your remote system without requiring input of additional credentials.
Conclusion
Connecting via SSH with an authorised key offers some advantages. It keeps from having to type passwords into terminals or other input mechanisms. Password authentication could be disabled entirely, only allowing connections authenticated with public/private key.
Writing your own backup scripts on your development/hobby servers is simple and will not require a password to be stored or entered.
Consider using a passphrase if you cannot adequately secure your private key. You will gain more security at the expense of convenience.