Demanding ssh key login to a server is safer than allowing passwords

(written by lawrence krubner, however indented passages are often quotes). You can contact lawrence at:, or follow me on Twitter.

This is good and true:

Require ssh key authentication

We tend to avoid passwords for logging into servers. There was a lot of discussion around this after Bryan’s original guide came out, but I tend to fall into this camp as well. Here are a few notes on this:

ssh keys are better than passwords only because they contain and require more information.

Passwords can be brute forced. Guessing a public key is so essentially impossible that they can be considered perfectly secure

What about a stolen machine? Yes, they have your private key, but expiring an ssh-key is easy, just remove the public key from authorized_keys. You should also have your private key protected by a secure and long passphrase. See next point.

All of this works, AS LONG AS YOU HAVE A LONG AND SECURE PASSPHRASE PROTECTING YOUR KEY. Repeated because it’s bloody important.

So let’s make password authentication a thing of the past on our server. Copy the contents of your id_rsa.pub1 on your local machine to your servers authorized keys file.

Enforce ssh key logins

ssh configuration for the machine is stored here:

vim /etc/ssh/sshd_config

You’ll want to add these lines to the file. I think they’re pretty self-explanatory. You’ll want to add the IP that you use to connnect. We have a company VPN setup with OpenVPN with cryptographic authentication so in order to connect to a server, you must also be authenticated and connected to the VPN.

PermitRootLogin no

PasswordAuthentication no

AllowUsers deploy@(your-VPN-or-static-IP)

Enable all these rules by restarting the ssh service. You’ll probably need to reconnect (do so by using your deploy user!)

service ssh restart

Post external references

  1. 1