Create SSH keys for SSHing

SSH keys allow you to SSH into a machine without a password prompt. Before we create our SSH key, make sure that we have a ~/.ssh folder. If not, create the ~/.ssh folder.

mkdir ~/.ssh

Now, we can use the following command to generate an SSH public key and private key:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

-t represents the encryption scheme. -b represents the number of bits. -C is used for e-mail identification. You can press Enter on the next three prompts to leave them as default and blank because you don’t need to have a passphrase.

Enter file in which to save the key (/Users/you/.ssh/id_rsa): [Press enter]
Enter passphrase (empty for no passphrase): [Type a passphrase]
Enter same passphrase again: [Type passphrase again]
Your identification has been saved in /Users/you/.ssh/id_rsa.
Your public key has been saved in /Users/you/.ssh/id_rsa.pub.
The key fingerprint is:
01:0f:f4:3b:ca:85:d6:17:a1:7d:f0:68:9d:f0:a2:db your_email@example.com
cd ~/.ssh
ls

You’ll find two new files.

id_rsa  id_rsa.pub

 

Using the SSH Keys

The keys must be verified on the machine that we’re sshing into to circumvent the password prompt.

ssh root@target_machine_ip

Enter password. We still have to enter password until we make this machine acknowledge our SSH key. We first make sure that our target machine has a ~/.ssh folder. touch will create a new ~/.ssh/authorized_keys file if it does not exist.

mkdir ~/.ssh
touch ~/.ssh/authorized_keys
exit

Now, we use SSH to send our id_rsa.pub file to the target machine. We add our id_rsa.pub, which is our public key, to ~/.ssh/authorized_keys.

cd ~/.ssh
ssh root@target_machine_ip 'cat >> ~/.ssh/authorized_keys' < ~/.ssh/id_rsa.pub

We essentially appended ~/.ssh/id_rsa.pub's contents into ~/.ssh/authorized_keys. Now, our target machine knows to accept this id_rsa.pub's private key. Let's see if our SSH key works.

ssh root@target_machine_ip

No more password prompt! Success!

 

Delete passwords for user. Rely only on SSH keys.

It's common practice to delete passwords. Most people rely only on SSH keys because only you with the private key can enter machines that have a ~/.ssh/authorized_keys with only your public key. We can delete passwords completely, so that only the private keys, id_rsa, of the public keys, id_rsa.pub, added to ~/.ssh/authorized_keys can access the machine.

To delete the password for a user, root:

passwd -d root

Now that the root password is deleted, using SSH keys is the only way to SSH into the target_machine_ip. You can always check who is logged into the machine to find any suspicious characters.

who
root tty1 2015-12-02 17:52
root pts/0 2015-12-16 04:43 (155.41.49.252)

You can tell if the user is you by looking at the time and IP address. If anyone is suspiciously logged into the machine that is not you or the machine itself, you can log everyone that is logged into that user.

pkill -KILL -u root