I'd like to make it necessary to have a public key in order to SSH into a machine. Meaning if you try to brute force the password, even if you guess the password correctly you won't be able to use it because you don't have the public key of the SSH server. My first question is whether this is the recommended best practice, or should I continue to allow the choice of a public key or the password? (The only problem I see with key-only authentication is that if I somehow lose my client's private key I can no longer log into my server...)
Currently my setup allows for passwordless SSH authentication if you have a public key, but it also allows for a username and password without the public key and that works too (which isn't what I want). Which of the following do I need to set in order to enable the public key-only functionality? Different tutorials list different combinations of the settings below - if someone could tell me the bare minimum I need to change in order for it to work, that would be great.
Quote:
RSAAuthentication
PubkeyAuthentication
ChallengeResponseAuthentication
PasswordAuthentication
UsePAM
|
Now let's say I've set up a public key-only login. If I want to create a new set of keys on my SSH server (let's say after reformatting my client - a laptop), I'm guessing I can't use ssh-copy-id to copy the newly created public key to the server? I'd be locked out of my server, so what would be the best way to set things up again and allow my laptop to SSH into my server again?