When we spin up a server, we'll usually have two ways to log into it, both over SSH (vs being hard-wired, e.g. plugging a keyboard into a physical machine, or emulating that):
- Password based authentication
- Key based authentication
Most providers let you choose either (Linode, Digital Ocean). Some enforce the use of keys (AWS).
Password Based Authentication
It's easy to login, usually!
ssh user@hostnameIf you want to change your password:
# Change your password
# asks for current password unless you are user root
passwdIn any case, logging in with the simple ssh command above doesn't always work. Sometimes you get a "too many authentication attempts" (or similar) error.
In this case, it's attempting to authenticate using your existing SSH keys before falling back to password based auth. However, before it can attempt all the SSH keys and fallback to asking for a password, it hit's the server's maximum allowed attempts and returns that error.
So, we need to tell it not to attempt key-based authentication first:
ssh -o "PubkeyAuthentication=no" user@hostnameAnd then you'll be prompted for a password!
Key based authentication
Key based auth is prefered as it doesn't send a password (plain-text) to the server. Additionally, it's another layer of security. You need a public key added to server's authorized_keys file, and the user attempting to login needs a private key. If you combine an SSH key with a password, you can get even more secure.
Let's pretend we have no keys setup. We'll create one and set our server user to be logged in with that key.
# As per https://blog.g3rt.nl/upgrade-your-ssh-keys.html
cd ~/.ssh
ssh-keygen -o -a 100 -t ed25519 -f id_ed -C "fideloper"This will prompt you to create a password - do so! You'll then combine SSH and password based authentication. This can even be a long password if you make use of your ssh agent to store the longer password (altho a stolen laptop may then not prompt for that password, thus making that a trade off between ease of use and security).
This will prompt you to create a password - do so! You'll then combine SSH and password based authentication. This can even be a long password if you make use of your ssh agent to store the longer password (altho a stolen laptop may then not prompt for that password, thus making that a trade off between ease of use and security).
We'll end up with two files:
~/.ssh/id_ed- the private key, which much remain secret~/.ssh/id_ed.pub- the public key, which in theory could be broadcasted to the world safely
We need to add the public key to the authorized_keys file of the server we want to log in as within the remote server.
cat ~/.ssh/id_ed.pub | pbcopy
ssh -o "PubkeyAuthentication=no" user@hostname
> vim ~/.ssh/authorized_keys
> <paste in public key>Then we can open a new terminal and try to login with an SSH key:
ssh user@hostname
# If that does not work:
ssh -i ~/.ssh/id_ed -o "IdentitiesOnly=yes" user@hostnameAnd we're able to login with SSH keys!
Resources
Here are some related Servers for Hackers videos that go into more depth:
