When we spin up a server, we'll usually have two ways to log into it, both over SSH (vs being hard-wired, e.g. plugging a keyboard into a physical machine, or emulating that):

1. Password based authentication
2. Key based authentication

Most providers let you choose either (Linode, Digital Ocean). Some enforce the use of keys (AWS).

Password Based Authentication

It's easy to login, usually!

ssh user@hostname

If you want to change your password:

# Change your password
# asks for current password unless you are user root
passwd

In any case, logging in with the simple ssh command above doesn't always work. Sometimes you get a "too many authentication attempts" (or similar) error.

In this case, it's attempting to authenticate using your existing SSH keys before falling back to password based auth. However, before it can attempt all the SSH keys and fallback to asking for a password, it hit's the server's maximum allowed attempts and returns that error.

So, we need to tell it not to attempt key-based authentication first:

ssh -o "PubkeyAuthentication=no" user@hostname

And then you'll be prompted for a password!

Key based authentication

Key based auth is prefered as it doesn't send a password (plain-text) to the server. Additionally, it's another layer of security. You need a public key added to server's authorized_keys file, and the user attempting to login needs a private key. If you combine an SSH key with a password, you can get even more secure.

Let's pretend we have no keys setup. We'll create one and set our server user to be logged in with that key.

# As per https://blog.g3rt.nl/upgrade-your-ssh-keys.html
cd ~/.ssh
ssh-keygen -o -a 100 -t ed25519 -f id_ed -C "fideloper"

This will prompt you to create a password - do so! You'll then combine SSH and password based authentication. This can even be a long password if you make use of your ssh agent to store the longer password (altho a stolen laptop may then not prompt for that password, thus making that a trade off between ease of use and security).

This will prompt you to create a password - do so! You'll then combine SSH and password based authentication. This can even be a long password if you make use of your ssh agent to store the longer password (altho a stolen laptop may then not prompt for that password, thus making that a trade off between ease of use and security).

We'll end up with two files:

1. ~/.ssh/id_ed - the private key, which much remain secret
2. ~/.ssh/id_ed.pub - the public key, which in theory could be broadcasted to the world safely

We need to add the public key to the authorized_keys file of the server we want to log in as within the remote server.

cat ~/.ssh/id_ed.pub | pbcopy

ssh -o "PubkeyAuthentication=no" user@hostname

> vim ~/.ssh/authorized_keys
> <paste in public key>

Then we can open a new terminal and try to login with an SSH key:

ssh user@hostname

# If that does not work:

ssh -i ~/.ssh/id_ed -o "IdentitiesOnly=yes" user@hostname

And we're able to login with SSH keys!

Resources

Here are some related Servers for Hackers videos that go into more depth:

• Users and SSH Security
• Creating and Using SSH Keys
• Using the SSH Config File
• Configuring SSHD on the server