Secure Shell, or SSH[1], is a cryptographic (encrypted) network protocol operating at layer 7 of the OSI Model[1:1] to allow remote login and other network services to operate securely over an unsecured network. SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. [1:2]

Authenticate with SSL normally goes like this:

$ ssh username@192.168.2.100
username@192.168.2.100's password:
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-83-generic x86_64)

Last login: Fri Mar  4 14:05:21 2016 from 175.48.239.72
username@192.168.2.100:~$

The password is just a plain text and in sake of security and to make our life more easy we want to get rid of this. This guide is to to harden the authentication process with disabling the plain text password.

Assumption is that your home folder is not encrypted!!! If true, this guide doesn't work for you. The keys will be stored into the encrypted folder, which can't be read by the SSH Daemon.

1. Create local authentication SSH-Kegen (RSA) on OSX.

To share the key between your trusted system and you first need to create a local public/private key.

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/username/.ssh/id_rsa): [press enter]
Created directory '/Users/username/.ssh'.
Enter passphrase (empty for no passphrase): [press enter]
Enter same passphrase again: [press enter]
Your identification has been saved in /Users/username/.ssh/id_rsa.
Your public key has been saved in /Users/username/.ssh/id_rsa.pub.
The key fingerprint is:
ef:3e:a6:5e:62:f0:b4:c0:2f:67:ce:45:2a:74:18:7e username@username's-macbook
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
| o               |
|E .              |
| . o .           |
|  oo  ==S        |
|   . = o .       |
|      C = o      |
|     o B =o      |
|      o.B=o.     |
+-----------------+

2. Upload Generated Public Keys to the remote server

This is needed so that the server can verify your are authorized to login to the server in the future. Create remote the .ssh folder and then copy the keys.

$ ssh username@192.168.0.100 mkdir -p .ssh
$ cat .ssh/id_rsa.pub | ssh username@192.168.0.100 'cat >> .ssh/authorized_keys'

3. Set Permissions on the remote server

It could be that there is a difference in SSH versions on servers and local system, we need to set permissions on .ssh directory and authorized_keys file. This to prevent later issues.

$ ssh username@192.168.0.100 "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"

Now your able to authenticate without a password using your public key

4. Testing new way to authenticate.

$ ssh username@192.168.0.100

Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-83-generic x86_64)

Last login: Fri Mar 25 11:34:11 2016 from 192.168.0.102

username@192.168.0.100:~$

5. Disable root & SSH plain text login

The main source of configuration for the SSH daemon itself is the sshd_config file. This configuration has not much todo with the ssh_config. The last configuration specifies client-side defaults.

$ sudo nano /etc/ssh/sshd_config

set PermitRootLogin without-password to PermitRootLogin no and uncomment the second line and change "yes" to "no"

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

  1. Intro text source https://en.wikipedia.org/wiki/Secure_Shell ↩︎ ↩︎ ↩︎