SSH also supports public key authentication, in addition to traditional passwords, which is more secure. While the encryption that SSH employs using protocol 2 is strong, the greatest encryption in the world won't save you if your password is leaked or brute-forced. This is especially catastrophic on a mission-critical server.
Utilizing public key authentication allows you to connect to a host using a private and public key relationship, instead of using a password. By default, SSH will allow a user to log in via either the username/password combination or a username / key pair combination. The first method is only as secure as the password. By utilizing public key authentication, you can bypass the need for a password completely, and connect to a server without being prompted. But if a server still accepts your password as a means of authentication, then public key authentication is not at its strongest point.
On the server end of the SSH connection, it is possible to configure it to accept authentication only from a public key, rather than password. If password authentication is disabled, then no one would be able to brute force the password and get into the server, since the password would be ignored. If the attacker doesn't have access to the private key, then he or she would not be able to connect.
Generating a key pair is simple using the ssh-keygen command, which will guide you through the process of setting up your keys. During this process, you will be asked to create a passphrase. You could, if you wanted to, disregard this prompt and simply press Enter to create a key without a passphrase. Doing so, however, drastically lowers the security of that key. While it is certainly much more convenient to not have to type anything at all when connecting to a host via SSH, it's definitely recommended to use a passphrase and benefit from the added security.
With public key authentication, two files are created in the user's home directory: id_rsa and id_rsa.pub. These files are created when you run through the process while executing ssh-keygen, mentioned earlier. After the command completes, these two files should be located in the .ssh directory of your home directory. The id_rsa file is your private key. You should keep it local and not transmit it or share it in a public place. The id_rsa.pub file is your public key, which you can safely copy to other hosts that you connect to. From that point forward, you will be able to use public key authentication to connect to another host.
Let's summarize the entire process. First, while logged in to your local or main machine, execute ssh-keygen and walk through the steps. Make sure to create a passphrase for added security.
Creating a key pair for SSH using ssh-keygen
Next, utilize the ssh-copy-id command in order to copy your key to the remote server you wish to connect to. The command syntax is as follows.
ssh-copy-id -i ~/.ssh/id_rsa.pub <remote host IP or name>
This command will copy your public key into the authorized_keys file under your ~/.ssh folder on the target machine. This file stores all the keys that the machine knows about. If you were to check before and after running through the ssh-copy-id process, you'd notice that the authorized_keys file on the target either didn't exist, or didn't include your key until after you executed the command.
Copying a public key to a remote host using ssh-copy-id
As mentioned earlier, it is possible to configure your computer or server to disallow authentication via password, only allowing public key authentication instead. This portion will be discussed further in Chapter 9, Securing Your Network. For now, it's important to get in the habit of generating, copying, and using keys. Feel free to create a key pair on your local machine and copy the public key to a server that you frequently connect to.