Setup SSH

Introduction

SSH, or Secure Shell, is an encrypted protocol used to administer and communicate with servers. When working with an Ubuntu server, you'll likely spend most of your time in a terminal session connected to your server via SSH.

This guide focuses on setting up SSH keys for an Ubuntu 20.04 installation. SSH keys provide a secure way of logging into your server and are recommended for all users.

Step 1 — Creating the Key Pair

The first step is to create a key pair on the client machine (usually your computer) using the following command:

ssh-keygen

By default, recent versions of ssh-keygen will create a 3072-bit RSA key pair, which is secure enough for most use cases (you can optionally use the -b 4096 flag for a larger key).

Output Example:

Generating public/private rsa key pair.
Enter file in which to save the key (/your_home/.ssh/id_rsa): 

Press ENTER to save the key pair into the .ssh/ subdirectory in your home directory, or specify an alternate path.

Passphrase Prompt:

Enter passphrase (empty for no passphrase):

Here you optionally may enter a secure passphrase, which is highly recommended. A passphrase adds an additional layer of security to prevent unauthorized users from logging in.

Confirmation Output:

Output
Your identification has been saved in /your_home/.ssh/id_rsa
Your public key has been saved in /your_home/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:/hk7MJ5n5aiqdfTVUZr+2Qt+qCiS7BIm5Iv0dxrc3ks user@host
The key's randomart image is:
+---[RSA 3072]----+
|                .|
|               + |
|              +  |
| .           o . |
|o       S   . o  |
| + o. .oo. ..  .o|
|o = oooooEo+ ...o|
|.. o *o+=.*+o....|
|    =+=ooB=o.... |
+----[SHA256]-----+

You now have a public key (id_rsa.pub) and a private key (id_rsa).

Step 2 — Copying the Public Key to Your Ubuntu Server

The goal is to place your public key (id_rsa.pub) onto the server into the remote user's ~/.ssh/authorized_keys file.

Method 1: Copying the Public Key Using `ssh-copy-id` (Recommended)

The ssh-copy-id tool is the quickest way to copy your public key, provided you have password-based SSH access to your server.

ssh-copy-id username@remote_host

You may be prompted to confirm the host's authenticity; type yes and press ENTER.
The utility will then prompt you for the password of the remote user's account.
Upon successful completion, you will see a message confirming the key was added.

Method 2: Copying the Public Key Using Conventional SSH

If ssh-copy-id is unavailable, you can use the cat command to read the public key's content on your local machine and pipe it over an SSH connection to the server.

cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"

This command:
1. Reads the content of ~/.ssh/id_rsa.pub.
2. Connects to the remote_host.
3. Creates the ~/.ssh directory (if it doesn't exist).
4. Ensures correct permissions (chmod -R go= ~/.ssh).
5. Appends the public key content (cat >>) to the ~/.ssh/authorized_keys file.
You will be prompted for the remote user's password.

Method 3: Copying the Public Key Manually

If you cannot use password-based SSH access, you must manually perform the steps above (e.g., using a console connection).

Display the public key on your local machine:
```
cat ~/.ssh/id_rsa.pub
```
Copy the entire output string (ssh-rsa AAAA....).
Access your remote server (via console or alternate means).
Create the .ssh directory and set permissions:
```
mkdir -p ~/.ssh
```
Append the key to the authorized_keys file:
```
echo public_key_string >> ~/.ssh/authorized_keys
```
(Substitute public_key_string with the key you copied in step 1).
Set final permissions on the server:
```
chmod -R go= ~/.ssh
```
Ensure correct ownership (if set up by the root account, substitute sammy with the correct username):
```
chown -R sammy:sammy ~/.ssh
```

Step 3 — Authenticating to Your Ubuntu Server Using SSH Keys

Once the public key is on the server, you should be able to log in without providing the remote account’s password (unless you set a passphrase).

ssh username@remote_host

If this is your first time connecting, type yes when prompted about the host's authenticity.
If you set a passphrase in Step 1, you will be prompted to enter it now.
Upon successful authentication, a new shell session will open.

Step 4 — Disabling Password Authentication on Your Server

If key-based login is successful, you should disable password authentication to increase security against brute-force attacks.

CRITICAL: Before proceeding, ensure your key-based authentication works and that the remote account has sudo privileges.

Log into your remote server via SSH keys and open the SSH daemon configuration file:
```
sudo nano /etc/ssh/sshd_config
```
Find the PasswordAuthentication directive, uncomment it (remove the #), and set its value to no:
```
# /etc/ssh/sshd_config
. . .
PasswordAuthentication no
. . .
```
Save and close the file (press CTRL+X, then Y, then ENTER).
Restart the SSH service to activate the changes:
```
sudo systemctl restart ssh
```
Test the new configuration in a new terminal window before closing your current session:
```
ssh username@remote_host
```

The SSH daemon on your Ubuntu server now only accepts SSH-key-based authentication, ensuring a much higher level of security.

Introduction​

Step 1 — Creating the Key Pair​

Step 2 — Copying the Public Key to Your Ubuntu Server​

Method 1: Copying the Public Key Using ssh-copy-id (Recommended)​

Method 2: Copying the Public Key Using Conventional SSH​

Method 3: Copying the Public Key Manually​

Step 3 — Authenticating to Your Ubuntu Server Using SSH Keys​

Step 4 — Disabling Password Authentication on Your Server​