Here are a few notes I made when changing SSH acces for an ubuntu server over to using public/private key authentication. These instructions are for commands run on the server to generate keys which are then used to access that same server from elsewhere.
On the whole the process was exactly as straightforward as you’d think, which was nice. The users followed these steps:
1. Generate keys
The user access the server using SSH (still set up with passwords at this point) and runs the following command to generate keys:
ssh-keygen
We accepted the defaults for both the filename (id_rsa) and left the passphrase empty. Empty passphrases aren’t recommended but there will be automated processes using these keys.
2. Set up to accept
For an SSH server to authorise a user, it must havethe contents of that user’s public key in a file called authorized_keys. The user then comes along with their private key and can then gain access. We put the contents of the public key into the authorized_keys file (which doesn’t currently exist for these users).
cat id_rsa.pub > authorized_keys
3. Log in with public key
The users copied their private keys to their local machines and set up their various ssh clients to use these to gain access. For ssh-ing in from another server (and setting up with some of the clients), its the ssh command as usual but with the -i switch to denote the use of a specified identity file, e.g.:
ssh -i id_rsa user@host
4. Force this to be the only means of access
I had some trouble figuring out which line I needed to change in the openssh config file (at /etc/ssh/sshd_config for me running ubuntu edgy) but in the event, this did the trick:
PasswordAuthentication no
That’s it for today, hope this helps someone … including me next time I want to do something similar :)