Configuring Passwordless Server Login Using SSH
Вставка
- Опубліковано 28 сер 2024
- Passwordless login with SSH is not only a best practice but also a very convenient way of logging into your servers. In this video we'll look at public and private keys, sshd configuration, and authorizing your key on a server.
Hope you enjoyed the video!
Check out this code here:
github.com/eng...
Join my Discord server to chat with me:
/ discord
Check out some code on my GitHub:
github.com/rea...
github.com/eng...
Come visit us on Reddit:
/ engineerman
Other Social:
/ _engineerman
/ engineermanyt
Dude you make evereything so clear, keep up the good work!
This is called: Public Service
Thanks EngineerMan!
I recommend using ed25519 instead of RSA when generating keys. ed25519 keys are smaller and faster and provide just as much security as large RSA keys.
+1 to using ssh-copy-id to automate getting your pubkey on the remote host.
ssh-copy-id
ed25519 is really convenient, although not yet globally supported. But I prefer them above RSA.
thanks for the tip!
Thank you so much for this video. I really needed this. I’ve been looking for a video that explained how to configure the server ssh and where the public key went. You explained it perfectly.
You still can do automated things while your private key is secured by a password. Take a look at ssh-agent and ssh-add. Just start ssh-agent and add your key with ssh-add, you will need to enter your password one time and after that there's no need to re-enter.
Nice and clear 👍 funny I was just talking about having to log in via the cloud console and manually add new keys because the old ones were lost to a bunch of servers by someone... 🤦♂️🤣
This is best explanation i ever get on SSH. I learned many things from you.
Thanks man
Interesting that you should have this video today. As I've been updating ssh keys on multiple servers, this morning.
Why may you ask was I changing ssh keys?
Good question. I was checking my secure logs and found a TON of IP address trying to hack my server. Now my router port for SSH is NO where near port 22. With 65,000+ ports to choose from, they spent the time hunting for the SSH port on my Router.
Root login is turned off, which is the only account they tried to log into....thank goodness. Checking the IP address out, they all came back from China.
Security by obscurity is *not* security. Changing the port just makes it annoying for legitimate users.
@@macethorns1168 I have no one from China that should be on these servers. Or for that matter, outside of the U.S.
Damn. Gotta go and change my server password 🤣. Great video man
Is it bad practice to use the same key pair for multiple machines?? Also thanks for the video!!
Great guide, simple and well explained.
You are doing great job sir, thank you so much and please keep up ...THUMBS up as usual
Awesome stuff as always! Thanks :)
Great video, lots to learn
Great vid, follow it up with key management please!
Great video as always! Glad to see more Linux content.
Haven't finished the video yet, but your authorized_keys file can't be allowed to be read by other users or it won't work.
I would use an ed25519 key with a password, these days there is no excuse to not have a good secure password and keep it safe.if you need to use multiple loggings with that key in one day you can load it into a key agent on Windows or Linux
If you have multiple computer, at home, would you generally create ssh key pairs for each computer that is accessing some remote machine or share a common ssh key pair between all the machines that will access the remote machine?
You could do either, my preference is to make each computer have its own pair.
Can someone explain tp me, when he created a vm, how did he got that password? Let's say, I instaled any linux distro as a vm, and I know it has openssh client.. where can I find a password for that system?
If your developer machine gets stolen/broken after disabling pw. Are you forever locked out assuming you just set up that 1 ssh?
Ebbzzor no - disabling passwords in sshd only disables passwords for ssh connections, it doesn’t change local sign in - so If you have the machine locally you can still sign in normally as you would with any pc, if it is a cloud machine most services allow a virtual console from the web interface
@@SuperMuchonacho Right. But often times that's a rented virtual machine.
You could have a backup copy of you ssh key somewhere else that you could import onto another machine and use to login.
@@Ebbzzor a lot of providers have a login console/shell on the management website
Thank you so much
I always adjust the port SSH uses on my servers to something between 64000 and 65000 as well as using SSH keys. Just one more little thing to keep things a bit safer.
It really doesn't. Just makes the port scanner take slightly longer and inconveniences actual users.
CAN YOU PLEASE MAKE A VIDEO ON ATOM PACKAGES YOU HAVE INSTALLED FOR HTML(LIKE THAT ATTRIBUTE COMPLETION MENU)? I NEED THEM FOR AN UPCOMING EXAM
As far as I know that's built into Atom. I don't recall installing anything to get that.
@@EngineerMan thanks for your reply. :)
brilliant. thanks
❤❤❤
why is the brim of your hat so bent? it almost does a full 180
thanks for simplifiying
my authorized_keys already has content. Should i append the public key to it??
Yes
Difference between .ppk, .pem, .pub ?
Google is your friend.
Install fail2ban to block SSH spammers.
You can also use iptables to throttle connection attempts from source IPs. You really can't go wrong with that.
sir,
suppose,
i have a private key of my friend, i can log into that machine using ssh from my machine and by using that private key?
If that server has the public key for that private key in the authorized_keys file, yes.
You can use ssh-audit github.com/jtesta/ssh-audit to auditing/hardening ssh server
Thanks EM. i had already enabled public/private keys on my home servers but was a bit concerned about disabling the password logins (for reasons you have explained)..... i guess there is no reason to keep it on :)
The backup plan is always serial console access. Most cloud servers support this and if you have physical access it's supported as well.
can i buy you a cup of coffee?
Use 2FA as an alternative.
Binod here ?
First View 🤣
You shouldn't be telling people this is more secure as it is not. Using this with a password would be much more secure and is advisable always. Use passwords people. Engineer Man is only doing this for a specific purpose of automation, which is not best practice.
I didn't say it was more secure, I simply said I need to automate things and thus I can't use a password. People are free to choose.
How is private key less secure than a password?
After I wrote my comment I realized I wasn't sure if he meant the passwords on the keys themselves or passwords to the server.
huge fan. plaease give shoutout
i am first to comment
:)