Create SSH keys for SSHing
SSH keys allow you to SSH into a machine without a password prompt. Before we create our SSH key, make sure that we have a ~/.ssh folder. If not, create the ~/.ssh folder.
mkdir ~/.ssh
Now, we can use the following command to generate an SSH public key and private key:
ssh-keygen -t rsa -b 4096 -C "[email protected]"-t represents the encryption scheme. -b represents the number of bits. -C is used for e-mail identification. You can press Enter on the next three prompts to leave them as default and blank because you don’t need to have a passphrase.
Enter file in which to save the key (/Users/you/.ssh/id_rsa): [Press enter]
Enter passphrase (empty for no passphrase): [Type a passphrase] Enter same passphrase again: [Type passphrase again]
Your identification has been saved in /Users/you/.ssh/id_rsa. Your public key has been saved in /Users/you/.ssh/id_rsa.pub. The key fingerprint is: 01:0f:f4:3b:ca:85:d6:17:a1:7d:f0:68:9d:f0:a2:db [email protected]
cd ~/.ssh ls
You’ll find two new files.
id_rsa id_rsa.pub
Using the SSH Keys
The keys must be verified on the machine that we’re sshing into to circumvent the password prompt.
ssh [email protected]_machine_ip
Enter password. We still have to enter password until we make this machine acknowledge our SSH key. We first make sure that our target machine has a ~/.ssh folder. touch will create a new ~/.ssh/authorized_keys file if it does not exist.
mkdir ~/.ssh touch ~/.ssh/authorized_keys exit
Now, we use SSH to send our id_rsa.pub file to the target machine. We add our id_rsa.pub, which is our public key, to ~/.ssh/authorized_keys.
cd ~/.ssh ssh [email protected]_machine_ip 'cat >> ~/.ssh/authorized_keys' < ~/.ssh/id_rsa.pub
We essentially appended ~/.ssh/id_rsa.pub's contents into ~/.ssh/authorized_keys. Now, our target machine knows to accept this id_rsa.pub's private key. Let's see if our SSH key works.
ssh [email protected]_machine_ip
No more password prompt! Success!
Delete passwords for user. Rely only on SSH keys.
It's common practice to delete passwords. Most people rely only on SSH keys because only you with the private key can enter machines that have a ~/.ssh/authorized_keys with only your public key. We can delete passwords completely, so that only the private keys, id_rsa, of the public keys, id_rsa.pub, added to ~/.ssh/authorized_keys can access the machine.
To delete the password for a user, root:
passwd -d root
Now that the root password is deleted, using SSH keys is the only way to SSH into the target_machine_ip. You can always check who is logged into the machine to find any suspicious characters.
who
root tty1 2015-12-02 17:52 root pts/0 2015-12-16 04:43 (155.41.49.252)
You can tell if the user is you by looking at the time and IP address. If anyone is suspiciously logged into the machine that is not you or the machine itself, you can log everyone that is logged into that user.
pkill -KILL -u root