The problem is not that’s to easy for you to log in, the problem is that everyone else can try it too. If there are no additional mechanisms in place, such as fail2ban, an attacker will have endless time to try to guess your password or even worse the root password.
Step 1: Create a ssh key
First lets start with the key generation for your client
ssh-keygen -a 100 -t ed25519 -f ~/.ssh/example.com_id_ed25519
The used options are
-aWhen saving a private key this option specifies the number of KDF (key derivation function) rounds used. Higher numbers result in slower passphrase verification and increased resistance to brute-force password cracking (should the keys be stolen).
-tSpecifies the type of key to create. The possible values are
-fSpecifies the filename of the key file.
I chose a password for all of my keys and you should also consider to do so.
Step 2: copy the key to your Server
ssh-copy-id -i ~/.ssh/example.com_id_ed25519.pub [AwesomeServer]
Step 3: configure the ssh key
To configure your ssh keys you have to edit
I prefer to have a general config section and just specify the host specific stuff per host
Host * ForwardAgent no ForwardX11 no ForwardX11Trusted yes Protocol 2 ServerAliveInterval 60 ServerAliveCountMax 30 Port 22 AddKeysToAgent yes # this only applies on macOS UseKeychain yes # this only applies on macOS #----------------Servers Host [AwesomeServer] # give it a name HostName [184.108.40.206] # ip of your server User [INSERT_YOU_USER] IdentityFile ~/.ssh/example.com_id_ed25519 #----------------Services Host github.com # Has to be the domain name you want to use the key for PubkeyAuthentication yes IdentityFile ~/.ssh/github_id_ed25519
Step 4: Add the key to your ssh-agent
The last optional step for the Client is to add your ssh key to your ssh agent
ssh-add -K ~/.ssh/example.com_id_ed25519
Step 5: Configure the ssh daemon on the Server
open the sshd config
/etc/ssh/sshd_config and set the following values
# Disables the Password Authentication acording to RFC-4256 ('keyboard-interactive' authentication scheme) ChallengeResponseAuthentication no # Disables the Password Authentication acording to RFC-4252 ('password' authentication scheme) PasswordAuthentication no # Pam (Pluggable Authentication Modules) we dont want anything other than ssh key to work so we disable this setting UsePAM no # Deny root to logon via ssh PermitRootLogin no
And restart the SSH Daemon
sudo systemctl reload sshd.
SSH JumpHost configuration
To add the ability to use one of your Servers as Jump host to the others you can add the following line to the clients
#----------------Servers Host [YourJumpHost] ... ... Host [AwesomeServer] ProxyJump [YourJumpHost]