By default, password authentication is used to connect to your system via SSH. A cryptographic key-pair is more secure because a private key takes the place of a password, which is generally much more difficult to decrypt by brute-force. In this section we’ll create a key-pair and configure your system to not accept passwords for SSH logins.
As of Autumn 2018, OpenSSH has been added to Windows 10, simplifying the process for securing SSH. Windows 10 in this guide assumes OpenSSH has been installed as part of this update, while Earlier Windows Versions would apply to earlier versions.
This is done on your local computer, not your system, and will create a 4096-bit RSA key-pair. During creation, you will be given the option to encrypt the private key with a passphrase. This means that it cannot be used without entering the passphrase, unless you save it to your local desktop’s keychain manager. We suggest you use the key-pair with a passphrase, but you can leave this field blank if you don’t want to use one.
If you’ve already created an RSA key-pair, this command will overwrite it, potentially locking you out of other systems. If you’ve already created a key-pair, skip this step. To check for existing keys, run
ssh-keygen -b 4096
Press Enter to use the default names id_rsa and id_rsa.pub before entering your passphrase. On Linux and OS X, these files will be saved in the /home/your_username/.ssh directory. O
From your local computer:
SSH Daemon Options
Open the SSH configuration file on your Compute Instance using a Linux text editor, such as nano or vim:
sudo nano /etc/ssh/sshd_config
Disallow root logins over SSH.
This requires all SSH connections be by non-root users. Once a limited user account is connected, administrative privileges are accessible either by using sudo or changing to a root shell using su -.
Disable SSH password authentication. This requires all users connecting via SSH to use key authentication. Depending on the Linux distribution, the line PasswordAuthentication may need to be added, or uncommented by removing the leading #.
# Change to no to disable tunnelled clear text passwords
You may want to leave password authentication enabled if you connect to your Linode from many different computers. This will allow you to authenticate with a password instead of generating and uploading a key-pair for every device.
Listen on only one internet protocol. The SSH daemon listens for incoming connections over both IPv4 and IPv6 by default. Unless you need to SSH into your Linode using both protocols, disable whichever you do not need. This does not disable the protocol system-wide, it is only for the SSH daemon. Depending on the Linux distribution, the line AddressFamily may need to be added, or uncommented by removing the leading #
Use the option:
AddressFamily inet to listen only on IPv4.
AddressFamily inet6 to listen only on IPv6.
# Port 22
Restart the SSH service to load the new configuration.
If you’re using a Linux distribution which uses systemd (CentOS 7, Debian 8, Fedora, Ubuntu 15.10+)
sudo systemctl restart sshd
If your init system is SystemV or Upstart (CentOS 6, Debian 7, Ubuntu 14.04):
sudo service sshd restart