Secure Shell (SSH) - ethan's notes

# SSH Keys Private key - super secret Public key - public The public key can be calculated from the private key, but not vice-versa. 1. Client connects to the server over SSH with the private key. 2. Server verifies that the private key can calculate the public key 3. Server generates a random string. 4. Server encrypts random string with public key 5. Client decrypts random string which is only possible with the private key 6. Client decrypts string, performs a calculation to prove it decrypted the string and provides that to the server. <iframe width="560" height="315" src="https://www.youtube.com/embed/dPAw4opzN9g?si=ocETgf6R6n8DsHnK" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe> ## Deploy Public Key Then connect to the server and create the `~/.ssh` directory with the command: ``` mkdir -p ~/.ssh ``` Add the public key: ``` echo public_key_string >> ~/.ssh/authorized_keys ``` Instead of `public_key_string`, specify the content of `id_rsa.pub`, which you just copied. If the `authorized_keys` file doesn't exist, the system will create it automatically. If it does exist, you will insert a new string into it. Finally, configure permissions for the `~/.ssh` directory and the `authorized_keys` file. Remove all `group` and `other` permissions for the `~/.ssh/` directory: ``` chmod -R go= ~/.ssh ``` Set the directory owner to your user instead of root: ``` chown -R username:username ~/.ssh ``` If you plan to access the server from different clients, you can use `ssh-copy-id` or manually edit `.ssh/authorized_keys` to insert additional keys. Each line should store only one value. ### Disable the password In Ubuntu, open the SSH key settings stored in `sshd_config`: ``` sudo nano /etc/ssh/sshd_config ``` Find the `PasswordAuthentication` line and change the value of `yes` to `no`. > [!Note] > Password authentication is **ENABLED by default** (as of January 2024) by the setting at the file `/etc/ssh/sshd_config.d/50-cloud-init.conf`. You **MUST** change the setting at this file or remove the file: `rm /etc/ssh/sshd_config.d/50-cloud-init.conf` as suggested in the comments below in order to disable password authentication Restart the service to apply the configuration: ``` sudo service ssh restart ```