|
| 1 | +--- |
| 2 | +title: Making SSH-Keys |
| 3 | +description: here i will be setting up ssh keys for my server bc im tired of entering my password aggain and aggain and aggain and it is more secure. |
| 4 | +date: 2025-08-16 |
| 5 | +draft: false |
| 6 | +toc: true |
| 7 | +ShowLastmod: true |
| 8 | +--- |
| 9 | + |
| 10 | +## What are SSH Keys |
| 11 | +normally if one needs to connect to remote server/machine they would use `secure shell` this is a go to way it is secure as the name implies but this way is not protected against brute force attacks. SSH keys does something different to get you connected, it makes keys one for client (private) and one for server (public). once you share the public one to the server, it sends 'puzzle' based on that public key to you and if your private key can solve that than you are authenticated. so it is basically a if server and client have valid key pair than it lets you in. |
| 12 | +## Plan |
| 13 | +1. we need a key pair (public and private) |
| 14 | +2. share public kay to the server test it out |
| 15 | +3. optionally disable password login |
| 16 | + |
| 17 | +## Making key pair |
| 18 | +> **_NOTE:_** `SSH` is installed on Windows mac OS and most Linux's by default and it will be needed off course. |
| 19 | +
|
| 20 | +key gen is is pretty simple run: |
| 21 | +```bash |
| 22 | +ssh-keygen |
| 23 | +``` |
| 24 | +- it will ask for a file name for keys and these must be inside `.ssh` folder. it makes key with default name if input is empty. could use that but naming it better practice. |
| 25 | +- it also will ask for a `passphrase` witch is an extra layer of protection and is recommended to set but could be done with this empty too. |
| 26 | +- this command than saves one files with he name you entered that's private key and one with `.pub` extension the public key. |
| 27 | +- and output should look like this: |
| 28 | + ```bash |
| 29 | + C:\Users\user>ssh-keygen |
| 30 | + Generating public/private ed25519 key pair. |
| 31 | + Enter file in which to save the key (C:\Users\user/.ssh/id_ed25519): test |
| 32 | + Enter passphrase (empty for no passphrase): |
| 33 | + Enter same passphrase again: |
| 34 | + Your identification has been saved in test |
| 35 | + Your public key has been saved in test.pub |
| 36 | + The key fingerprint is: |
| 37 | + SHA256:********/******+****+****/*/************ user@host |
| 38 | + The keys randomart image is: |
| 39 | + +--[ED25519 256]--+ |
| 40 | + | + | |
| 41 | + | . E | |
| 42 | + | . . | |
| 43 | + | . . o .| |
| 44 | + | = S + ..| |
| 45 | + | = + o o +.| |
| 46 | + | . o = BoTm | |
| 47 | + | . + X +BX+| |
| 48 | + | . o *e$@+| |
| 49 | + +----[SHA256]-----+ |
| 50 | + ``` |
| 51 | + |
| 52 | +## Share public key to server |
| 53 | +The server should have a `~/.ssh/authorized_keys` file (if not make it) and your public key (the contents of the generated file that has .pub extension) should be copied there as new line. |
| 54 | + |
| 55 | +All of this is is easily done with this command: |
| 56 | +```bash |
| 57 | +ssh-copy-id -i <path to your public key file> <username for server>@<server ip or domain name> |
| 58 | +``` |
| 59 | + |
| 60 | +But sometimes `ssh-copy-id` command is not available by default especially on Windows so you need do all of what that command does manually like this: |
| 61 | +```bash |
| 62 | +cat <path to public key file> | ssh <server username>@<server ip or domain> "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys" |
| 63 | +``` |
| 64 | +or from Windows replace first host `cat` command to `type` like this: |
| 65 | +```bash |
| 66 | +type <path to public key file> | ssh user@your-server "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys" |
| 67 | +``` |
| 68 | + |
| 69 | +Or just do it manually. (what i did) |
| 70 | + |
| 71 | +### Testing |
| 72 | +to test if this works you just try to connect to server: |
| 73 | +```bash |
| 74 | +ssh <username>@<server ip or domain> |
| 75 | +``` |
| 76 | +and it should not ask for password. |
| 77 | + |
| 78 | +## Disable password login |
| 79 | +at this point if you just want to do an auto login this is not required, as you see in testing, but if you want users to only connect with keys you add as an administrator and make server more secure disabling password based login. |
| 80 | + |
| 81 | +the configuration for `SSH` as server is at `/etc/ssh/sshd_config` so you would just edit that like this: |
| 82 | +```bash |
| 83 | +sudo nano /etc/ssh/sshd_config |
| 84 | +``` |
| 85 | + |
| 86 | +and disable some stuff like: |
| 87 | +- `PermitRootLogin` to `no` - this allows users to login as `root` as username. and we are disabling that with `no`. |
| 88 | +- `PasswordAuthentication` to `no` - this will disable password authentication. |
| 89 | +- `PermitEmptyPasswords` to `no` - so empty passwords cant come in. |
| 90 | +- `Use PAM` to `no` |
| 91 | +also could use |
| 92 | +- `AuthenticationMethod` to `publickey` - this sets public key as only Authentication method. |
| 93 | +- `AllowUsers` to users you want to to be able to connect with `SSH` |
| 94 | +so appley ones that you want. |
| 95 | + |
| 96 | +and restart `ssh` services with: |
| 97 | +```bash |
| 98 | +sudo systemctl restart ssh |
| 99 | +``` |
0 commit comments