One of the best options to secure the sensitive SSH login is to disable passwords altogether and require an SSH key certificate. Only someone with physical possession of the private certificate key can log in.

Table of contents

• Generate SSH Keys on Windows
• Generate SSH Keys on MacOS or Linux
• Disable password login

Generate SSH Keys on Windows

Follow this guide Configure "No Password SSH Keys Authentication with PuTTY" on Linux Servers

You have now generated three new files. Keep them safe!

• MobyBolt-Private-Key.ppk
• MobyBolt-Public-Key
• authorized-Keys.txt

You also copied the content of authorized-Keys.txt into the file ~/.ssh/authorized_keys on your MobyBolt PC and changed the directory’s permissions to 700.

After specifying your private key file in the PuTTY configuration, you’re all set.

Generate SSH Keys on MacOS or Linux

• In the terminal on your regular computer, check if keys already exist:

  $ ls -la ~/.ssh/*.pub
  

• If files are listed, your public key should be named something like id_dsa.pub, id_ecdsa.pub, id_ed25519.pub or id_rsa.pub. If one of these files already exists, skip the next step.

• If none of those files exist, or you get a No such file or directory error, create a new public / private key pair:

  $ ssh-keygen -t rsa -b 4096
  

  When you’re prompted to Enter a file in which to save the key, press Enter to use the default file location. Optionally, for maximum security, use password [A] to protect your key.

• The public key now needs to be copied to the MobyBolt PC. Use the command ssh-copy-id, which stores your public key on the remote machine (and creates files and directories, if needed). You will be prompted for your SSH login password once.

  $ ssh-copy-id [email protected]
  

  💡 If you are on MacOS and encounter an error, you might need install ssh-copy-id first by running the following command on your Mac’s command line:

  $ brew install ssh-copy-id
  

Disable password login

• Log in to the MobyBolt PC as admin using SSH with your SSH key. You shouldn't be prompted for the admin's password anymore.

• Edit the ssh configuration file /etc/ssh/sshd_config to harden our security:

  $ sudo nano /etc/ssh/sshd_config
  

• Uncomment the following option to disable password authentication:

  PasswordAuthentication no
  

• Below the commented out ChallengeResponseAuthentication option, add the following line to disable s/key, a one-time password authentification. Save and exit.

  #ChallengeResponseAuthentication no
  KbdInteractiveAuthentication no
  

• Restart the SSH daemon, then exit your session:

  $ sudo systemctl restart sshd
  $ exit
  

• Log in again with user admin

You can no longer log in with a password. User admin is the only user that has the necessary SSH keys, no other user can log in remotely.

❗ Backup your SSH keys! You will need to attach a screen and keyboard to your MobyBolt PC if you lose them.