Kaleb Klein

SSH (Secure SHell) is a form of secure authentication between client and server. SSH uses a public/private key pair. The client will house both public and private keys, and share it's public key with the endpoint it's looking to connect to.

An SSH connection by default will use a username/password authentication mechanism. This however can be worked around by using SSH keys, to secure the authentication between client and server. So how does this make the connection more secure? As stated above, using SSH keys requires that the client have the correct key that the server recognizes before it will be allowed to connect.

So, how do you go about setting this up on your own server or VPN? Easy, just make sure both client and server have access to SSH, and the server is running an SSH daemon. Once that's out of the way, you need to create your SSH keys on the client. Call the following command:

$ ssh -t rsa -C "your.email@domain.com"

You'll be greated with a few prompts. Just answer them with defaults, choosing your own key password. The questions look a bit like this

Generating public/private rsa key pair.
Enter file in which to save the key (/c/Users/kklei/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

And once you've completed, that you should get this sort of output showing the fingerprint of the new key

Your identification has been saved in ~/.ssh/id_rsa.
Your public key has been saved in ~/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Kr9vk7eE6CfyDLEEK+UHRZh5kxRyxC9vGsMksqsqFzs your.email@domain.com
The key's randomart image is:
+---[RSA 2048]----+
|  .OBo           |
|  ++=            |
|  +. o           |
|.o.+o .          |
|.oo++o  S        |
|...o+ooo .       |
| . o+=o ...      |
|o E o*. =..      |
|*. . o**.o..     |
+----[SHA256]-----+

We're half way there. Now it's time to upload this to your server, and login to your server using the new SSH key. If you have access to the server's user home directory from a GUI, you can just copy the contents of id_rsa.pub. If not, or if you just want to, run the following command

$ cat ~/.ssh/id_rsa.pub | ssh user@SERVER_HOSTNAME 'cat >> ~/.ssh/authorized_keys'

This command uses the cat command, which basically just displays the contents of a file into the terminal. However, we're redirecting the contents of our local public key, opening a new SSH connection to our server, and exporing that into the authorized_keys file in the server's ~/.ssh directory. If you need to, you may have to change the permissions of the ssh directory and the authorized_keys file. That should be

Now, let's make sure we actually allow key authentications. SSH back into your server, and edit sshd_config

$ vim /etc/ssh/sshd_config

Uncomment the following lines

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Once you save the changes to the ssh config file, all that's left is to restart the ssh daemon

$ sudo systemctl restart sshd.service

Now you should be able to SSH into your server. You'll repeat these steps for each user on your server. To connect, run

$ ssh user@SERVER_HOST

If you're prompted for an SSH password, you've set up the SSH authentication successfully. If not, try again. Practice makes perfect!