Common client files in the ~/.ssh/ directoryknown_hosts => ip/hostname and fingerprints of servers that have been seen before
authorized_keys => concatenated list of public keys that can login as this user without a password
To generate a public/private RSA key pair (id_rsa and id_rsa.pub)
ssh-keygen -t rsa -b 4096Private keys must be readable only by the user or SSH will ignore it for safety. Also, the .ssh directory must be readable only by the user.
To copy the public key to a server
ssh-copy-id -i id_rsa.pub user@server
After completion, make sure the key was appended to the .ssh/authorized_keys file on the server.
SSHd serverThe config file is
Best practice security settings
- On public facing servers, always disable root logins with
- For extra security, specifically limit the users that can login with
AllowUsers neo trinity
- Allow login via keys with
- You can change the port that SSH listens on, but a good port scanner will find it wherever it is