by: Linux/Unix Raspberry Pi5 Comments on Setting Up and Copying SSH Keys

Creating a key to have access to your server through ssh is the safest way to get access to your server.

In your client machine just type:

ssh-keygen -t rsa-sha2-512 -b 4096 -C "[email protected]"

Or, for an elliptic curve signing algorithm alternative:

ssh-keygen -t ed25519 -C "[email protected]"

It is going to ask you the location, just hit “Enter”, and if you want a password just type, confirm, and the key is created.

When needed to change the password of the private key issue:

ssh-keygen -p -f ~/.ssh/id_dsa

Or simply:

ssh-keygen -p

For manually extract the public key from the private:

ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

The whole directory must be protected from being read by other users:

chmod 700 -R ~/.ssh

To transfer your key to the server issue the command:

ssh-copy-id [email protected]

Confirm the password that you used to type to log in to your server.

The public key can be manually installed by appending the id_rsa.pub into the authorized_keys.

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

To check the algorithm type of an existent key:

ssh-keygen -l -f ~/.ssh/id_rsa

Done! Now just try to connect again.

ssh domain.com

If you did everything correctly you are already logged in.

It is always a good idea to have another account set just in case you type something wrong and lock yourself out. If this is the case, log in with the second account, switch to your user, or root, and delete the files inside the folder ~/.ssh/.

As a good practice, always protect your SSH as much as you can. See the recommendations below:

sudo nano /etc/ssh/sshd_config

Configuration parameters you should pay attention to:

AllowUsers user
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no

Replace “user” with your own user id. Restart your server:

sudo systemctl restart sshd.service

BONUS

If you need to hop on a server that is the entry point of a network to reach one internal server use the ProxyJump functionality:

ssh -J [email protected] [email protected]

Or create a configuration to automate this process:

nano ~/.ssh/config

With the following configuration customized accordingly:

Host external
    HostName 200.200.200.200
    User user1
Host internal
    HostName 10.0.0.1
    User user2
    IdentityFile ~/.ssh/id_rsa
    ProxyJump external

Many other parameters can be configured in this file:

Host serverA
    HostName 192.168.0.1
    User user3
    Port 2222
    Protocol 2
    IdentityFile ~/.ssh/serverA.key
    LogLevel INFO
    Compression yes
    ServerAliveInterval 60
    ServerAliveCountMax 30
    ForwardAgent no
    ForwardX11 no
    ForwardX11Trusted yes
    ProxyJump [email protected]:22,[email protected]:2222

Host * !192.168.0.1
    User ubuntu

Or to bypass any pre-configuration and only give the arguments of the command:

ssh -F /dev/null user@host

Discover new functionalities over SSH on the post Reverse Shell with AutoSSH [Link]