It is always good practice to lock down password based logins and SSH using keys. We can use pem files to login to remote server from local machines. Infact if you use AWS, the only way to SSH into the server is using pem files.
This procedure can be done on any server cloud based or sitting on your LAN
1. On your local Machine from where you require access, I prefer to keep it in the home directory of the user
# cd $HOME
# ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/shadab/.ssh/id_rsa): wha
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in wha.
Your public key has been saved in wha.pub.
The key fingerprint is:
The key’s randomart image is:
| . |
|= o |
|oB . . |
| o+ .o S |
|.+.o= .. |
|+ o*.Xo.+ |
|o =o&.BO o |
| + E+X++=.. |
The file which i chose to create is “wha”, this will create 3 files “wha”, “wha.pem”, “wha.pub”
wha.pem is empty for now
wha : is your private key
wha.pub : is your public key
2. Keep the private key (wha) as it is and create a pem file from it
# rsa -in wha -outform pem > wha.pem
writing RSA key
Now the pem file is created. Next step to copy public key to remote server
Note: If you dont have rsa utility on your local machine, with a simple copy command also you can create the pem file.
# cp -p wha wha.pem
3. Copy the public key to your remote server, which needs to be accessed
# ssh-copy-id -i wha.pub firstname.lastname@example.org
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: “wha.pub”
The authenticity of host ‘18.104.22.168 (22.214.171.124)’ can’t be established.
ECDSA key fingerprint is SHA256:*************************.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed — if you are prompted now it is to install the new keys
Number of key(s) added: 1
Now try logging into the machine, with: “ssh ‘email@example.com′”
and check to make sure that only the key(s) you wanted were added.
4. Change the permissions of your local machine pem file
# chmod 400 wha.pem
5. Login to remote server with pem file to check
# ssh -i /Users/shadab/wha.pem firstname.lastname@example.org
6. Disable SSH Access to server
On the remote server with root user
# vim /etc/ssh/sshd_config
Change parameter PasswordAuthentication yes to PasswordAuthentication no
Restart SSH Daemon
# systemctl restart sshd
# service sshd restart
P.S: If you need to do the same for any other user on the remote server. you just have to
copy the public key file with that user on the remote server
ssh-copy-id -i wha.pub email@example.com
ssh -i /Users/shadab/wha.pem firstname.lastname@example.org