SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. While a password can eventually be cracked with a brute force attack, SSH keys are nearly impossible to decipher by brute force alone. Generating a key pair provides you with two long string of characters: a public and a private key. You can place the public key on any server, and then unlock it by connecting to it with a client that already has the private key. When the two match up, the system unlocks without the need for a password. You can increase security even more by protecting the private key with a passphrase.
The first step is to create the key pair on the client machine (there is a good chance that this will just be your computer):
ssh-keygen -t rsa
The public key is now located in
~/.ssh/id_rsa.pub The private key (identification) is now located in
Once the key pair is generated, it’s time to place the public key on the virtual server that we want to use.
You can copy the public key into the new machine’s authorized_keys file with the ssh-copy-id command. Make sure to replace the example username and IP address below.
Now you can go ahead and log into email@example.com and you will not be prompted for a password. However, if you set a passphrase, you will be asked to enter the passphrase at that time (and whenever else you log in in the future).
Add the key to the ssh-agent (a bit like a key ring that holds all your keys on your client) It’s probably worth making a copy of the key and storing it elsewhere, somewhere very safe like an off line USB stick. To add the key to the agent simpy type:
Once you have copied your SSH keys on to your server and ensured that you can log in with the SSH keys alone, you can go ahead and restrict the root login to only be permitted via SSH keys.
In order to do this, open up the SSH config file:
sudo vim /etc/ssh/sshd_config
Within that file, find the line that includes PermitRootLogin and modify it to ensure that users can only connect with their SSH key:
Put the changes into effect:
However lose the private keys and you’ll probably never get root access again!