Okay, enough joking. It’s true, though. Standard password-based authentication on SSH is a bad idea. Passwords can be broken fairly easily, and when they’re the only thing standing between an attacker and unfettered access to your server, you should definitely be nervous. That’s why RSA key-based authentication is much better. You can configure your Linux server to only allow access from computers that hold the RSA keys that it has already accepted. Anyone else will be rejected immediately. As an added benefit, you can create those keys with or without a password, which is entirely up to you. A strong key without a password is fine in most cases, though. If you use Linux devices at home too, you have the added benefit of convenience. Say you want to SSH in to your Linux workstation from your laptop. Do you really want to enter your password every time? Set up SSH keys, and you won’t need to.

Install the Packages

There are a couple of packages that you need. You probably already have some of them, but it’s a good idea to check. The packages are different on the server and the client, but there’s also a good chance that both machines are servers and clients to each other (home situation), so you may want to install both sets of packages.

On the Server

The server just needs the OpenSSH service installed and running. It isn’t by default on Debian and Ubuntu systems. If you don’t already have it installed, do so.

On the Client

The client needs the OpenSSH client package. OpenSSH has a built-in utility for generating keys.

Generate Your Key

It’s really easy to generate your key. Just tell OpenSSH that you need to generate the key. It’s also a good idea to specify the amount of bits with the -b flag and the type with -t. A 4096 bit key is best. It provides stronger encryption. First, the utility will ask where you want to store the key. Just hit Enter for the default directory. Then it’ll ask for a password. Leave it blank for a passwordless key and passwordless authentication. If you do want to use a password for your key, enter it. Your computer will take a couple of seconds to generate your key. When it’s done, it’ll tell you that it finished and print out an ASCII art image.

Send Your Key

To use your key you’ll need to send it to your server. OpenSSH has another built-in utility for that, too. Tell it where your key is and which user on the server to associate it with. Enter the IP address of the server. It’s just like you’re accessing the server over SSH (you are), but it’s just sending over the key. After that, try accessing the server over SSH again. This time it should just let you in without a password.

Configure SSH to Block Passwords

For the best security, you need to disable SSH password logins on the server. The SSH server configuration can be found at “/etc/ssh/sshd_config.” Open that file on the server with sudo and your favorite text editor.

Find the lines below and edit them to look like the example. Uncomment both entries and change the values to no.

That won’t do anything if you leave PAM authentication enabled. Find the line below and set it to no. Once the entries are modified, save and exit the file, and then restart the SSH server for them to take effect. If you are still determined to retain the password authentication method, don’t forget to set up two factor authentication as an additional layer of protection. That’s it! Your server is much more secure now without passwords. You also also have the added benefit of not needing to type them in. You can also exchange your single key with as many servers as you’d like.