Create SSH keys for SSHing
SSH keys allow you to SSH into a machine without a password prompt. Before we create our SSH key, make sure that we have a
~/.ssh folder. If not, create the
Now, we can use the following command to generate an SSH public key and private key:
ssh-keygen -t rsa -b 4096 -C "firstname.lastname@example.org"
-t represents the encryption scheme.
-b represents the number of bits.
-C is used for e-mail identification. You can press Enter on the next three prompts to leave them as default and blank because you don’t need to have a passphrase.
Enter file in which to save the key (/Users/you/.ssh/id_rsa): [Press enter]
Enter passphrase (empty for no passphrase): [Type a passphrase] Enter same passphrase again: [Type passphrase again]
Your identification has been saved in /Users/you/.ssh/id_rsa. Your public key has been saved in /Users/you/.ssh/id_rsa.pub. The key fingerprint is: 01:0f:f4:3b:ca:85:d6:17:a1:7d:f0:68:9d:f0:a2:db email@example.com
cd ~/.ssh ls
You’ll find two new files.
Using the SSH Keys
The keys must be verified on the machine that we’re sshing into to circumvent the password prompt.
Enter password. We still have to enter password until we make this machine acknowledge our SSH key. We first make sure that our target machine has a
touch will create a new
~/.ssh/authorized_keys file if it does not exist.
mkdir ~/.ssh touch ~/.ssh/authorized_keys exit
Now, we use SSH to send our
id_rsa.pub file to the target machine. We add our
id_rsa.pub, which is our public key, to ~/.ssh/authorized_keys.
cd ~/.ssh ssh root@target_machine_ip 'cat >> ~/.ssh/authorized_keys' < ~/.ssh/id_rsa.pub
We essentially appended
~/.ssh/id_rsa.pub's contents into
~/.ssh/authorized_keys. Now, our target machine knows to accept this
id_rsa.pub's private key. Let's see if our SSH key works.
No more password prompt! Success!
Delete passwords for user. Rely only on SSH keys.
It's common practice to delete passwords. Most people rely only on SSH keys because only you with the private key can enter machines that have a
~/.ssh/authorized_keys with only your public key. We can delete passwords completely, so that only the private keys,
id_rsa, of the public keys,
id_rsa.pub, added to
~/.ssh/authorized_keys can access the machine.
To delete the password for a user, root:
passwd -d root
Now that the root password is deleted, using SSH keys is the only way to SSH into the target_machine_ip. You can always check who is logged into the machine to find any suspicious characters.
root tty1 2015-12-02 17:52 root pts/0 2015-12-16 04:43 (18.104.22.168)
You can tell if the user is you by looking at the time and IP address. If anyone is suspiciously logged into the machine that is not you or the machine itself, you can log everyone that is logged into that user.
pkill -KILL -u root