GO Online Toolset
home
search
Plugin
To Boss

ssh secret-free login
new
3  |   |   |  0

SSH Key-Based Secure Login Setup Guide

Step 1: Generate an SSH Key Pair on Your Local Computer

This step is performed on your personal computer (client machine) to create a pair of credentials: a private key and a public key.

  1. Open a terminal on your local computer.
  2. Run the following command to generate a key pair. The recommended algorithm is ed25519, which is more modern and secure.
# Replace your_email@example.com with your email address or any identifier
ssh-keygen -t ed25519 -C "your_email@example.com"
  1. Follow the prompts:
    • Save Location: Press Enter to accept the default path (~/.ssh/id_ed25519).
    • Passphrase: Strongly recommended. A passphrase adds an extra layer of protection to your private key. Even if the private key file is compromised, it cannot be used without the passphrase.

After the process completes, two files will be created in your ~/.ssh/ directory:

  • id_ed25519: Private Key — Keep this file secure and never share it.
  • id_ed25519.pub: Public Key — Safe to distribute and install on servers.

Step 2: Deploy the Public Key to the Server

This step installs your "lock" (public key) on the target server.

This is the simplest and least error-prone approach. Run the following commands from your local computer:

# Create a user account on the server
adduser user
passwd user

# Replace user with the server username
# Replace your_server_ip with the server IP address
ssh-copy-id user@your_server_ip

You will be prompted to enter the server password once. The command will automatically:

  • Create the ~/.ssh directory and authorized_keys file on the server.
  • Append your public key to the authorized_keys file.
  • Configure the correct file and directory permissions.

Alternative Method: Manual Installation

If ssh-copy-id is unavailable, you can install the public key manually.

1. Copy the Public Key from Your Local Computer

# macOS
pbcopy < ~/.ssh/id_ed25519.pub

# Linux (requires xclip)
# xclip -selection clipboard < ~/.ssh/id_ed25519.pub

2. Log in to the Server Using Your Password

3. Install the Public Key on the Server

# Create the SSH directory and set proper permissions
mkdir -p ~/.ssh && chmod 700 ~/.ssh

# Paste your public key into authorized_keys
echo "PASTE_YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys

# Set proper permissions
chmod 600 ~/.ssh/authorized_keys

Step 3: Test SSH Key Authentication

From your local computer, attempt to log in again:

ssh user@your_server_ip

If everything is configured correctly:

  • You will be prompted for your SSH key passphrase (if one was configured), or
  • You will be logged in directly without entering the server account password.

Step 4: Security Hardening (Disable Password Authentication)

Only perform this step after confirming that SSH key authentication works correctly.

  1. Log in to your server.
  2. Open the SSH daemon configuration file:
sudo nano /etc/ssh/sshd_config

# Or use vim
sudo vim /etc/ssh/sshd_config
  1. Locate and modify the following settings (remove the leading # if present):
# Disable password authentication
PasswordAuthentication no

# Recommended: Prevent direct root login
PermitRootLogin no

# Ensure public key authentication is enabled
PubkeyAuthentication yes
  1. Save the file and restart the SSH service:
sudo systemctl restart sshd

At this point, your server will only accept SSH key authentication, significantly improving security.

Appendix: Automated SSH Security Hardening Script

The following script automates all tasks described in Step 4: Security Hardening.

WARNING

Before running this script, make absolutely sure that SSH key authentication is working correctly. Otherwise, you may lock yourself out of the server.

Save the following content as a shell script (for example, secure_ssh.sh), grant execute permission (chmod +x secure_ssh.sh), and run it as root (sudo ./secure_ssh.sh).

#!/bin/bash
#
# SSH Security Hardening Script
#
# Features:
# 1. Disable password authentication
# 2. Disable direct root login
# 3. Ensure public key authentication is enabled
# 4. Restart the SSH service
#

# Verify root privileges
if [ "$EUID" -ne 0 ]; then
  echo "❌ Error: Please run this script as root."
  exit 1
fi

# Final warning
echo "================================================================="
echo "⚠️ WARNING: This script will disable SSH password login and"
echo "disable direct root SSH access."
echo "Please ensure SSH key authentication has been configured and tested."
echo "================================================================="
echo "Execution will begin in 5 seconds. Press Ctrl+C to cancel..."
sleep 5
echo "Applying security hardening..."

SSHD_CONFIG="/etc/ssh/sshd_config"

# Create a backup
cp "$SSHD_CONFIG" "${SSHD_CONFIG}.bak_$(date +%F)"
echo "✅ Backup created: ${SSHD_CONFIG}.bak_$(date +%F)"

# Update SSH configuration
sed -i -r 's/^#?PasswordAuthentication\s+.*/PasswordAuthentication no/' "$SSHD_CONFIG"
sed -i -r 's/^#?PermitRootLogin\s+.*/PermitRootLogin no/' "$SSHD_CONFIG"
sed -i -r 's/^#?PubkeyAuthentication\s+.*/PubkeyAuthentication yes/' "$SSHD_CONFIG"

echo "✅ sshd_config updated."
echo "  - PasswordAuthentication = no"
echo "  - PermitRootLogin = no"
echo "  - PubkeyAuthentication = yes"

# Restart SSH service
echo "Restarting SSH service..."
systemctl restart sshd

# Verify service status
if systemctl is-active --quiet sshd; then
  echo "✅ SSH service restarted successfully. New configuration is active."
else
  echo "❌ Error: Failed to restart SSH service."
  echo "Check details with: systemctl status sshd"
  echo "Restore from backup if necessary:"
  echo "  ${SSHD_CONFIG}.bak_$(date +%F)"
fi