Passwordless ssh is one of the most easiest ways to secure your ssh server outside of listening on a non standard port. This blog post will show you how to do it and how to access the server from anywhere.
Why should you Passwordless ssh
Security is a huge concern today, and for hackers and criminals, web servers are often the easiest and best targets and ssh is the most preferred method as it allows everything. The standard security practice is to use the default password setting, where you set a password. Human readable passwords are insecure and not random, consequently if you expose an password based ssh server to the web expect to see it get hit consistently.
In figure 1 you can see that on even a small honeypot server the total number of logging attempts exceed thousands, when realistically there should be less than 10 at most for a web server.
Having a strong password is good, but what are the chances of remembering a sufficiently complex password?
That’s why we can use certificates for ssh. Once you set it up you can start an ssh from trusted locations without having to worry about passwords or any other issues. Even if you lose your private key you can simply revoke the key.
The How To:
1. Generate a Public Private key pair. The command (1) is for linux or mac machines. You can generate these on either your client or server machines
ssh-keygen -t rsa2. At the first prompt for location just press enter to use the default location which is /home/user/.ssh
3. At the second prompt enter a password, this will prevent other people from using your key.
4. Then copy the public key into the server you want to connect to. Save it to the .ssh folder in the user directory of the user you are connecting to.
5. That should be it for passwordless ssh access. Now to disable password based authentication run the following commands on the server and enter the user password to run as a privileged user.
sudo vi /etc/ssh/sshd_configOnce in press i and enter to go into insert mode, find the line:
PasswordAuthentication yeschange this to:
PasswordAuthentication nothen press the esc button and enter the command below including the semicolon to save and exit
:wq!Then reboot the ssh service. Once done your server should only accept passwordless authentication on ssh.
service sshd restartMobaXterm is not open source like putty but it is free for use and it has a nicer interface. I’ve been using MobaXterm recently and so that is why it is the focus of this blog and there are many putty web articles available
6. Setting up on MobaXterm is easy right click on the saved session and choose “edit session
7. Click on advanced ssh and click use private key, and enter the location for your private key. You will be required to enter the password for the private key when you first sign in.