This will generate two keys:
-
<key_name>_ed25519- this is the private key and should be kept safe. Never put this key on the server itself. -
<key_name>_ed25519.pub- this is the public key, it will need to be added to the~/.ssh/authorized_keyson the server.
ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/<key_name>_ed25519 -C "Enrico Fermi <fermi@paradox.quantum>"Setting a password on the key is more secure, but less convenient. If an attacker stole the private key - having a password would make it harder to use the key. Password will need to be entered every time you use the key to SSH.
Run these commands on our local machine first.
chmod 700 ~/.ssh
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 644 ~/.ssh/config
chmod 600 ~/.ssh/<key_name>_ed25519
chmod 644 ~/.ssh/<key_name>_ed25519.pubscp ~/.ssh/<key_name>_ed25519.pub <username>@<server_IP>:/home/<user>/.ssh/<key_name>_ed25519.pubSSH into your server using the password. Then add the public key to ~/.ssh/authorized_keys and set permissions.
cat ~/.ssh/<key_name>_ed25519.pub >> ~/.ssh/authorized_keysSet permissions on the server
chmod 700 ~/.ssh
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 644 ~/.ssh/config
chmod 644 ~/.ssh/<key_name>_ed25519.pubYou should be able to SSH using the key now. To try, on your local machine:
ssh -i ~/.ssh/<key_name>_ed25519 <username>@<server_IP>If this works, proceed to the next step to disable password auth on the server.
On the server, run the following commands to disable password authentication.
sudo sed -i -E 's/.PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config
sudo sed -i -E 's/.PasswordAuthentication.*/PasswordAuthentication no/g' /etc/ssh/sshd_config
sudo sed -i -E 's/.KbdInteractiveAuthentication.*/KbdInteractiveAuthentication no/g' /etc/ssh/sshd_configVerify changes:
sudo grep -E 'PermitRootLogin|PasswordAuthentication|KbdInteractiveAuthentication' /etc/ssh/sshd_configIf all are set to no, reboot the server with sudo reboot for changes to take effect.