Setup an SSH Key on Ubuntu with Ed25519 Encryption

Leave a Comment

This guide walks you through securely setting up SSH keys on your Ubuntu server using the Ed25519 algorithm, known for robust security and efficiency.

Step 1: Generate an Ed25519 SSH Key on the Ubuntu Server

On your Ubuntu server, generate an Ed25519 SSH key pair:

ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519 -C "yourusername"
  • -t ed25519 selects the secure Ed25519 algorithm.
  • -a 100 increases the key derivation function rounds, adding additional protection.
  • Replace yourusername with your actual username or a descriptive identifier.

Press Enter to confirm the default location (~/.ssh/id_ed25519). Ensure you use a strong, unique passphrase when prompted to protect your private key.

Step 2: Configure Authorized Keys

Add your generated public key to the authorized keys file:

chown youruser:youruser ~/.ssh
chown youruser:youruser ~/.ssh/authorized_keys
chmod 700 ~/.ssh
cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
sudo systemctl reload sshd

Retrieve your private key, which you’ll use to connect from your local machine:

cat ~/.ssh/id_ed25519

Copy this private key and save it securely on your local machine in the .ssh directory (usually ~/.ssh/id_ed25519 if youre using linux).

Step 3: Modify SSH Server Configuration to Accept Keys

Edit the SSH server configuration file:

sudo nano /etc/ssh/sshd_config

Ensure the following line is set to accept key-based authentication:

PubkeyAuthentication yes

Save the file (Ctrl+O) and exit (Ctrl+X).

Restart the SSH service to apply changes:

sudo systemctl restart sshd

Step 4: Test Your SSH Connection

From your local machine, verify you can connect using your private key:

ssh -i ~/.ssh/id_ed25519 yourusername@server_ip_address

Enter your passphrase when prompted. Confirm you can successfully log in before proceeding to disable password authentication.

Step 5: Secure the SSH Configuration

Only after confirming your SSH key authentication works correctly, edit the SSH configuration on your server:

sudo nano /etc/ssh/sshd_config

Add or modify these recommended security settings:

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
AllowUsers yourusername  # Restricting SSH access to specific users significantly reduces the attack surface by preventing unauthorized login attempts to other user accounts.
  • Replace yourusername with your actual username to restrict SSH access.

Restart the SSH service:

sudo systemctl restart sshd

Additional Security Recommendations

  • Firewall Restrictions: Limit SSH access to specific IP addresses:
sudo ufw allow from your_ip_address to any port 22
sudo ufw enable
  • Fail2ban: Protect against brute-force attacks:
sudo apt install fail2ban
sudo systemctl enable --now fail2ban
  • Regular Key Rotation: Periodically update your SSH keys to minimize risks.
  • Audit SSH Logs: Regularly review /var/log/auth.log for unauthorized attempts or suspicious activity.

Following these steps significantly improves the security of your SSH access.

Leave a Reply

Your email address will not be published. Required fields are marked *