Author: Unreal good

Source: Hang Seng LIGHT Cloud Community

An overview of the

With the maturity of cloud technology, more and more people start to use cloud server to build their own applications, but many people do not care about the problem of network security, resulting in server attacks by hackers, and finally regret. This article will introduce the creation and use of secure login protocol SSH to help you improve security precautions.

SSH (Secure Shell Protocol) is an encrypted network protocol that allows users to securely access remote computers over an insecure network.

SSH keys are a more secure way to log in to an SSH server because they are less vulnerable to the violent password hacks that are common. Although SSH supports password-based authentication, SSH keys are generally recommended. Generating an SSH key pair creates two long strings: the public key and the private key. You can place the public key on any server and then connect to the server using an SSH client that has access to the private key. When the public and private keys match, the SSH server grants access permission without a password. You can also further enhance the security of the key pair by using an optional (but highly recommended) password-protected private key.

Specific operation

Creating a Key Pair

The first step is to create a key on the client machine. This could be a local computer. On the local command line, type the command: ssh-keygen -t ed25519

[root@localhost ~]# ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519): 
Copy the code

After you enter the command, the command confirmation information is displayed. You need to enter the address to save the key.

If you are using an older system that does not support creating ed25519 keys, or the connected server does not support them, you need to create a strong RSA key pair: Ssh-keygen -t rsa -b 4096 copy This changes the -t “type” flag to RSA and adds the -b 4096 “bit” flag to create the 4096-bit key.

Specifies the location where the key is saved

The first prompt for the ssh-keygen command is to ask where to save the key:

Enter file in which to save the key (/root/.ssh/id_ed25519): 
Copy the code

You can press ENTER directly to save the file to the default location in your.ssh home directory, or specify an address directory on your system.

So let’s just hit enter and save the default address.

Create a password

After confirming to save the address, you will be prompted to set a password:

Enter passphrase (empty for no passphrase):
Copy the code

The password can also be set by default, but it is strongly recommended that you set the password because the security of the key depends on the complexity of the Settings. If the private key without the password falls into the hands of someone else who is not authorized to do so, they will be able to log in to any server you configured with the relevant public key.

To review, the entire key generation process looks like this:

[root@localhost ~]# ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter file in which to save the key (/root/.ssh/id_ed25519): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_ed25519. Your public key has been saved in /root/.ssh/id_ed25519.pub. The key fingerprint is: SHA256:hRTOxc4IFviuv0vr4q61fGTee2Xo5Ol/gmUtZh/Y55s [email protected] The key's randomart image is: +--[ED25519 256]--+ | ... oo. | | . o+ o. | | o .++. | | . .. o | | . S . + | | + o X + .| | .=.. + X o + | | oooo.. * . o o| | .+==*o.+... o E.| +----[SHA256]-----+Copy the code

The public key is now at /root/.ssh/id_ed25519.pub.

The private key is now located at /root/.ssh/id_ed25519.

Copy the public key to the remote server

Once the key pair is generated, you can place the public key on the server to connect to.

The ssh-copy-id command can be used with authorized_keys to copy the public key to a file on the server. Make sure to replace the sample username and address:

ssh-id user@server_address
Copy the code

After the command is executed, you can log in to the server over SSH without being prompted for a password. However, if you set a password when creating the SSH key, you need to enter the password. This is mainly because the local SSH client requires decryption, not the remote server.

Disable password-based SSH authentication

After the SSH key is copied to the server, you can completely disable password-based login by configuring the SSH server to disable password-based authentication.

Before disabling password-based authentication, ensure that the server can be successfully logged in using the SSH key and that no other users on the server are logging in using passwords.

To disable password-based SSH authentication, open the SSH configuration file. It is usually located in the following locations:

sudo nano /etc/ssh/sshd_config
Copy the code

This command opens the file in the Nano text editor. Find the line in the file that contains PasswordAuthentication (or create it if it doesn’t exist), make sure no # is commented out with a at the beginning of the line, and change it to no: /etc/ssh/sshd_config

PasswordAuthentication no
Copy the code

When finished, save and close the file. In medium nano, press CTRL+O to save, press ENTER to confirm the file name, then CTRL+X to exit.

Reload the SSHD service for these changes to take effect:

sudo systemctl reload sshd
Copy the code

Before exiting the current SSH session, you can test the connection on another terminal to verify that it is still connected.

conclusion

In this article, we helped improve server security by creating an SSH key pair, copying the public key to the server, and (optionally) completely disabling password-based authentication.


Want to learn more from the tech gurus? Where are problems encountered during development discussed? How to access the massive resources of fintech?

Hang Seng LIGHT Cloud community, a professional fintech community platform built by Hang Seng Electronics, shares practical technology dry goods, resource data, and fintech industry trends, embracing all financial developers.