How to Use ssh-agent to Manage Private Keys

SSH, an application layer protocol, is commonly used for remote access. In this article, we will explore using the SSH protocol to connect to remote Linux servers and configure specific settings to enhance security. SSH can be used with any Linux distribution since it is enabled by default on most modern Unix and Linux distributions. In this guide, we tested everything on Ubuntu 22.04; however, you can also apply it to other distributions like Debian, CentOS, etc. Methods for Connecting via SSH You can use various client programs to connect to Linux servers via SSH. Some popular ones include: Windows: PuTTY, Bitvise SSH Client, SuperPuTTY, mRemoteNG, MobaXterm. macOS: Termius or the built-in SSH utility in Terminal. Windows (Windows 10, Windows 11, Windows Server 2019): The built-in OpenSSH client, accessible through the command line (cmd) or PowerShell. SSH Command Syntax The standard SSH command syntax is as follows: ssh <username@IP_or_domain> For example: ssh [email protected] By default, SSH connects via port 22. If the server uses a different port, specify it using the -p option: ssh [email protected] -p 2222 SSH Server Configuration File The SSH server configuration file is called sshd_config and is located in the /etc/ssh directory. Don't confuse it with the SSH client file ssh_config. In this article, we will focus only on the server file. SSH Password Authentication By default, SSH connections are password-based unless an SSH key was added during server creation (we'll discuss SSH keys in the next section). In most Linux/Unix distributions, the server's configuration includes PAM authentication, allowing users with system accounts to log in using their username and password. To log in using a password, you need the remote server's address and the user's credentials. For example: ssh [email protected] After entering the command, you'll be prompted for the password. If it's correct, you'll access the server. When connecting for the first time, you'll see a message about the server's "fingerprint." Enter yes to proceed. Although password authentication works, it is not the safest method, as passwords can be guessed. A more secure alternative is using SSH keys, discussed in the next section. SSH Keys Authentication SSH keys are a more secure and common method of authentication than passwords. SSH uses two types of keys: Public key: Used for encryption and can be shared publicly. Private key: Used for decryption and should be kept private. To generate SSH keys, use the command: ssh-keygen This command will prompt you to choose a directory to save the keys. By default, they are stored in the .ssh directory in your home folder. For example, in /home/alex/.ssh. You can also set a different location if needed. Press Enter to use the default path. Next, you'll be asked to create a passphrase for added security. If you prefer not to use a passphrase, press Enter when prompted. Once the keys are generated, the private key (id_rsa) and the public key (id_rsa.pub) will be stored in the .ssh directory. Before connecting to a remote host, copy the public key to that host using the ssh-copy-id command: ssh-copy-id -i /home/alex/.ssh/id_rsa.pub [email protected] You'll be prompted to enter the remote user's password once. After that, the public key will be added to the remote host, allowing you to log in without a password: ssh [email protected] If no password is requested, key-based authentication is working correctly. Disabling Password Authentication Since passwords are not secure, disabling password authentication and using only key-based access is recommended. To do this, edit the SSH server configuration file: sudo nano /etc/ssh/sshd_config Find the line PasswordAuthentication and change its value to no: PasswordAuthentication no Save the changes, then restart the SSH server: sudo systemctl restart ssh Before disabling password authentication, ensure that key-based authentication is working. If not, you may lock yourself out of the server. If this happens, you can restore password authentication via the server's web console. Changing the Default SSH Port By default, the SSH server uses port 22. You can change this by editing the sshd_config file. Find the Port line, uncomment it (remove the # symbol), and specify a new port (between 1024 and 65535): Port 2224 After saving the changes, restart the SSH server: sudo systemctl restart ssh To connect to the server on the new port, use the -p option: ssh [email protected] -p 2224 Disabling Root Login In some distributions, root login is allowed by default. Since the root user has full system privileges, it's safer to disable root login. To do this, find the line PermitRootLogin in the sshd_config file and set it to no: PermitRootLogin no Save the file and restart the SSH server: sudo systemctl restart ssh Allowing or Denying Specific Users You can restrict SSH access to specific users by editing the sshd_config file with the following parameters: AllowUsers: Specify which users are allowed to connect via SSH. For example: AllowUsers test admin DenyUsers: Specify users who are denied SSH access. For example: DenyUsers nginx websrv To apply changes, restart the SSH server: sudo systemctl restart ssh Conclusion SSH is an indispensable tool for connecting to remote servers. In addition to built-in encryption, you can further secure your SSH server by configuring it properly, such as disabling password authentication and limiting access to specific users.