Updating security for remotely connecting to my servers via SSH

8 Dec 2016

1. Overview

In my engineering setup I have a lot of various physical machines, virtual machines, and servers. I tend to work mostly on my Mac laptop and access the other machines on my network remotely via SSH. This can lead to having to type passwords in quite often so I finally decided it was time to update my setup so that I can use my SSH keys to authenticate my connections from my laptop to my other machines.

There are a couple of reasons I decided to do this:

Enhanced security. If I am not having to type passwords regularly there is less chance of the passwords getting compromised.
Ease of use. It's just quicker if I can connect straight in without having to type a password.

So what do you need to do to be able to work this way? Well it's surprisingly simple to do, so simple I am wondering why I didn't get round to this years ago!

Here is the basic procedure:

Create a local SSH key pair if you don't have them already.
Update the remote server with your SSH public key.

Now we'll take a look at each of these steps to show you how to get things up and running. I'm running MacOS and Linux on my machines, both of which have built in SSH support. I'm not sure how this applies under a Windows environment as I have never tried to do this but the basic concepts should be the same.

2. Implementing SSH Authentication

2.1. Creating a local SSH key pair.

Open a Terminal under MacOS or Linux.
Use the ssh-keygen command to create your new SSH key pair.
```
rachael$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/<username>/.ssh/id_rsa):
```
You can just press Enter at this point and let it put the keys in the default directory for your user login.
```
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
```
You'll now be asked to enter a passphrase. This is optional, it secures the SSH key pair and prevents them being used without entering the passphrase. This means you are required to type it in though so negating one of my reasons for using this method in the first place. In my system I chose not to use a passphrase. Somebody would have to gain unauthorised access to my laptop to be able to use the SSH keys to get into other machines on my network in any case and for me this is secure enough.
```
Your identification has been saved in /home/<username>/.ssh/id_rsa.
Your public key has been saved in /home/<username>/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:<fingerprint> <username>@<server>
The keys randomart image is:
+---[RSA 2048]----+
|                 |
|   <textimage>   |
|                 |
+----[SHA256]-----+
rachael$
```

2.2. Adding the SSH public key to the remote server.

Open a terminal under MacOS or Linux (if not open from previous step).

Use the ssh-copy-id command to add your SSH public key to the server.

rachael% ssh-copy-id <username>@<server>
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/<username>/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s),to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
<username>@<server>'s password:

Number of key(s) added:       1

Now try logging into the machine, with:   "ssh '<username>@<server>'"
and check to make sure only the key(s) you wanted were added.

rachael$

2.3. Testing the new SSH Authentication.

Open a terminal under MacOS or Linux (if not open from previous step).
Attempt to log into the remote machine using the ssh command.
```
rachael$ ssh <username>@<server>
<username>@<server> ~ $
```
If all worked you should find yourself logged into your remote machine and at the command prompt without having had to type in a password. If you were asked for your regular password then the above procedures failed to correctly create and install your SSH keys. If you entered a passphrase when generating your SSH keys then you'll be asked to enter the passphrase during login.

3. Conclusion

This guide shows how quick and easy it can be to set up shared key authentication to access other computers via SSH. It isn't comprehensive and covers only the basics I used for setting this up on my systems. Hopefully you may find this useful, please feel free to leave feedback in the comments and thanks for reading!

Top Comments

gadget.iom over 8 years ago in reply to clem57

C-3PO (Clem) wrote:

With the recent update to Jessie, now the SSH is disabled by default.

Can't say I'm surprised. I frequently review the logs of my public facing servers and often see failed ssh attempts for the username 'pi'. With a widely known default password, and the often unskilled level of the user base it seems like a good bet that default credentials will get you in.
- Cancel
- Vote Up +2 Vote Down
- Sign in to reply
- More
- Cancel
Workshopshed over 8 years ago

Great explanation, I was just reading about this on another site. Building a Raspberry Pi mini cluster - part 1
- Cancel
- Vote Up +1 Vote Down
- Sign in to reply
- More
- Cancel
Jan Cumps over 8 years ago in reply to clem57

Clem Martins wrote:
...
With the recent update to Jessie, now the SSH is disabled by default.
...
That's on the Raspberry Pi Jessie. I'm not sure if this is a generic Jessie change.
How I wish they looked for a way to user-friendly enforce a default password change at first boot rather than disabling ssh.
(Internet already full of opinions on that decision, but anyways, it's of my chest now)
- Cancel
- Vote Up +1 Vote Down
- Sign in to reply
- More
- Cancel
clem57 over 8 years ago

This is an excellent guide and good reason to beef up security. With the recent update to Jessie, now the SSH is disabled by default. To enable it without a keyboard/mouse, add the SSH (no data needed) file in the FAT directory. This will work once since the file gets deleted.
Clem
- Cancel
- Vote Up +2 Vote Down
- Sign in to reply
- More
- Cancel