Akkana Peck writes:
Many tutorials will include a section on how to set up keys so you can ssh without a password. While that's certainly useful, I'd recommend skipping that part for now, until you're more comfortable with the basics of ssh with a password.
Using ssh keys and disabling passwords is the number one most important configuration to enable on any ssh server. This is the number of attempts by bots yesterday to break into my home PC via ssh. Not a server with a public domain name, but my desktop computer sitting in my apartment: # grep 'Jun 15' /var/log/authlog | grep sshd | wc -l 76010 That is approaching a hundred thousand attempts PER DAY. On a server not linked on any website or indexed by any search engine. I wouldn't trust a password to that, even my own reasonably well chosen ones. Back when I was an undergrad, I took a cybersecurity class in UNM's CS department. One kid ran a public ssh server for an assignment. A bot guessed his password. When the professor found out, he imaged the disk, and the next class assignment was to study the hard drive to figure out what the bots do once they succeed in breaking in. So what is it they do? First they silently replace passworded tools (sudo, ssh, and the like) with trojaned versions that log all passwords of all sites you log into. Then they set up bruteforcers and start using YOUR machine to attack more servers. And then they cover their tracks. I don't mean to scare people, but running an ssh server without disabling passwords is incredibly unsafe, both for oneself and for everyone else on the internet. Doesn't matter how good your passwords are--the risk of a compromised machine is too great. Disabling passwords is easy: in /etc/ssh/sshd_config, add the following line: PasswordAuthentication no Then restart the server (or restart the machine). Using keys is easy too. It is only two steps. Step one: on the client machine (the one you "ssh" *from*), run: $ ssh-keygen It will ask where to save it (default of ~/.ssh/id_rsa is fine), and ask for a passphrase to use (blank/no passphrase is perfectly fine). (Personally I run "ssh-keygen -t ed25519 -c 'my comment goes here'" but running just "ssh-keygen" is fine too.) Step two: copy the public key (it ends in ".pub", like ~/.ssh/id_rsa.pub) to the destination machine (the one you ssh *to*), at: ~/.ssh/authorized_keys Now you can ssh from the one machine to the other, with passwords disabled. You won't even have to enter a password (very convenient), yet it is vastly more secure than a password-enabled configuration. -- Anthony J. Bentley