To improve the system security even further, most of the organizations turned to use keybased authentications instead of Password based authentication. We can enforce the key-based authentication by disabling the standard password authentication, which involves a public key private key pair. The public key is added in the server configuration file while private key is kept kept confidential on the client side.
Below listed is the procedure, to set up keybased authentication.
1) Generating Key Pairs
a) Generate an RSA key pair by typing the following at a shell prompt:
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/steve/.ssh/id_rsa):
b) Press Enter to confirm the default location (that is, ~/.ssh/id_rsa) for the newly created key.
c) Enter a passphrase, and confirm it by entering it again when prompted to do so.
d) Copy the content of ~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys on the machine to which you want to connect,
appending it to its end if the file already exists.
e) Change the permissions of the ~/.ssh/authorized_keys file using the following command:
$ chmod 600 ~/.ssh/authorized_keys
2) Now on your client side, open the remote connection agent like putty and browse your public key and try SSH to the server, you should be able to login without a password now.
# ssh server1.myserver.com
The authenticity of host ‘server1.myserver.com (192.168.44.2)’ can’t be established.
RSA key fingerprint is e3:c3:89:37:4b:94:37:d7:0c:d5:6f:9a:38:62:ce:1b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘server1.myserver.com’ (RSA) to the list of known hosts.
Last login: Tue July 13 12:40:34 2014 from server2.myserver.com
3) Public key authentication can prevent brute force SSH attacks, but only if all password-based authentication methods are disabled. Once public key authentication has been confirmed to be working, disable regular password authentication by editing /etc/ssh/sshd_config and set the following option to “no”.