Requiring public key in order to SSH into a machine

veeruk101 · 11-01-2011, 04:15 PM

I'd like to make it necessary to have a public key in order to SSH into a machine. Meaning if you try to brute force the password, even if you guess the password correctly you won't be able to use it because you don't have the public key of the SSH server. My first question is whether this is the recommended best practice, or should I continue to allow the choice of a public key or the password? (The only problem I see with key-only authentication is that if I somehow lose my client's private key I can no longer log into my server...)

Currently my setup allows for passwordless SSH authentication if you have a public key, but it also allows for a username and password without the public key and that works too (which isn't what I want). Which of the following do I need to set in order to enable the public key-only functionality? Different tutorials list different combinations of the settings below - if someone could tell me the bare minimum I need to change in order for it to work, that would be great.

Quote:

RSAAuthentication
PubkeyAuthentication
ChallengeResponseAuthentication
PasswordAuthentication
UsePAM

Now let's say I've set up a public key-only login. If I want to create a new set of keys on my SSH server (let's say after reformatting my client - a laptop), I'm guessing I can't use ssh-copy-id to copy the newly created public key to the server? I'd be locked out of my server, so what would be the best way to set things up again and allow my laptop to SSH into my server again?

neonsignal · 11-02-2011, 07:38 AM

It is a good thing to restrict the number of ways to access a machine. Whether a password or a keyfile is better depends on how you manage them. If you use a PKI key, then it is good practice to password protect the PKI file.

To disable the password access, it is sufficient to set PasswordAuthentication to 'no' in the server configuration (the other parameters have reasonable defaults). You will need to restart the server.

If you have to set up a new PKI key, you need to add the public part to the server before you remove the old local key (use the '-i' flag to use the new key file). Once it has been added, you can change the local key to the new one, and restart the ssh session (and remove the old key from the servers authorized keys if it is no longer required).

If you lose the PKI key, then yes, you will be unable to access the server.