SSH keys
Logging into SSH using a key involves first generating a private key and a public key. It’s your responsibility to keep the private key as secret as can be. It’s convenient to have a copy on every machine you log into the server from, but also insecure—if one of those machines was stolen it represents a vector by which our server could be compromised. Ideally you should keep the private key on a USB stick and not lose it.
The public key can be just that, and a copy of it is stored on the server to verify the private key via mathematical voodoo. To generate a keypair (ideally on a machine that you’ll access the server from, rather than the server itself) run the command ssh-keygen . Accept the default location and choose a password for your key.
This adds an extra layer of security in the event the key is purloined. Copy the key to the server with ssh-copy-id lxfuser@192.168.1.100 , it will be appended to the file /home/lxfuser/. ssh/authorized_keys on the server. We can test it works with:
$ ssh lxfuser@192.168.1.100
All going well we shouldn’t be asked for a password this time. If you want to disable password logins altogether, then you will need to add the directive:
PasswordAuthentication no
to /etc/ssh/sshd_config.
The keypair itself lives in the ~/.ssh/ folder, in the files id_rsa.pub and id_rsa.priv. The latter file is the private key, and should be treated with care. If you copy it elsewhere, you can tell SSH to log in with ssh -i /path/to/key but it will be rightly fussy about permissions.
Since filesystems commonly used on USB sticks (such as FAT32 and NTFS) don’t support Linux permissions, you will need to copy your key off such media (and then run:
chmod 600 id_rsa
before attempting to log in.