Thank you so much for this video. I really needed this. I’ve been looking for a video that explained how to configure the server ssh and where the public key went. You explained it perfectly.
I recommend using ed25519 instead of RSA when generating keys. ed25519 keys are smaller and faster and provide just as much security as large RSA keys. +1 to using ssh-copy-id to automate getting your pubkey on the remote host.
You still can do automated things while your private key is secured by a password. Take a look at ssh-agent and ssh-add. Just start ssh-agent and add your key with ssh-add, you will need to enter your password one time and after that there's no need to re-enter.
Interesting that you should have this video today. As I've been updating ssh keys on multiple servers, this morning. Why may you ask was I changing ssh keys? Good question. I was checking my secure logs and found a TON of IP address trying to hack my server. Now my router port for SSH is NO where near port 22. With 65,000+ ports to choose from, they spent the time hunting for the SSH port on my Router. Root login is turned off, which is the only account they tried to log into....thank goodness. Checking the IP address out, they all came back from China.
Nice and clear 👍 funny I was just talking about having to log in via the cloud console and manually add new keys because the old ones were lost to a bunch of servers by someone... 🤦♂️🤣
If you have multiple computer, at home, would you generally create ssh key pairs for each computer that is accessing some remote machine or share a common ssh key pair between all the machines that will access the remote machine?
Ebbzzor no - disabling passwords in sshd only disables passwords for ssh connections, it doesn’t change local sign in - so If you have the machine locally you can still sign in normally as you would with any pc, if it is a cloud machine most services allow a virtual console from the web interface
Can someone explain tp me, when he created a vm, how did he got that password? Let's say, I instaled any linux distro as a vm, and I know it has openssh client.. where can I find a password for that system?
I would use an ed25519 key with a password, these days there is no excuse to not have a good secure password and keep it safe.if you need to use multiple loggings with that key in one day you can load it into a key agent on Windows or Linux
I always adjust the port SSH uses on my servers to something between 64000 and 65000 as well as using SSH keys. Just one more little thing to keep things a bit safer.
Thanks EM. i had already enabled public/private keys on my home servers but was a bit concerned about disabling the password logins (for reasons you have explained)..... i guess there is no reason to keep it on :)
You shouldn't be telling people this is more secure as it is not. Using this with a password would be much more secure and is advisable always. Use passwords people. Engineer Man is only doing this for a specific purpose of automation, which is not best practice.
Dude you make evereything so clear, keep up the good work!
This is called: Public Service
Thanks EngineerMan!
Thank you so much for this video. I really needed this. I’ve been looking for a video that explained how to configure the server ssh and where the public key went. You explained it perfectly.
I recommend using ed25519 instead of RSA when generating keys. ed25519 keys are smaller and faster and provide just as much security as large RSA keys.
+1 to using ssh-copy-id to automate getting your pubkey on the remote host.
ssh-copy-id
ed25519 is really convenient, although not yet globally supported. But I prefer them above RSA.
thanks for the tip!
This is best explanation i ever get on SSH. I learned many things from you.
Thanks man
You still can do automated things while your private key is secured by a password. Take a look at ssh-agent and ssh-add. Just start ssh-agent and add your key with ssh-add, you will need to enter your password one time and after that there's no need to re-enter.
Interesting that you should have this video today. As I've been updating ssh keys on multiple servers, this morning.
Why may you ask was I changing ssh keys?
Good question. I was checking my secure logs and found a TON of IP address trying to hack my server. Now my router port for SSH is NO where near port 22. With 65,000+ ports to choose from, they spent the time hunting for the SSH port on my Router.
Root login is turned off, which is the only account they tried to log into....thank goodness. Checking the IP address out, they all came back from China.
Security by obscurity is *not* security. Changing the port just makes it annoying for legitimate users.
@@macethorns1168 I have no one from China that should be on these servers. Or for that matter, outside of the U.S.
Nice and clear 👍 funny I was just talking about having to log in via the cloud console and manually add new keys because the old ones were lost to a bunch of servers by someone... 🤦♂️🤣
Great guide, simple and well explained.
Great video as always! Glad to see more Linux content.
Damn. Gotta go and change my server password 🤣. Great video man
Is it bad practice to use the same key pair for multiple machines?? Also thanks for the video!!
Awesome stuff as always! Thanks :)
You are doing great job sir, thank you so much and please keep up ...THUMBS up as usual
If you have multiple computer, at home, would you generally create ssh key pairs for each computer that is accessing some remote machine or share a common ssh key pair between all the machines that will access the remote machine?
You could do either, my preference is to make each computer have its own pair.
CAN YOU PLEASE MAKE A VIDEO ON ATOM PACKAGES YOU HAVE INSTALLED FOR HTML(LIKE THAT ATTRIBUTE COMPLETION MENU)? I NEED THEM FOR AN UPCOMING EXAM
As far as I know that's built into Atom. I don't recall installing anything to get that.
@@EngineerMan thanks for your reply. :)
Great video, lots to learn
If your developer machine gets stolen/broken after disabling pw. Are you forever locked out assuming you just set up that 1 ssh?
Ebbzzor no - disabling passwords in sshd only disables passwords for ssh connections, it doesn’t change local sign in - so If you have the machine locally you can still sign in normally as you would with any pc, if it is a cloud machine most services allow a virtual console from the web interface
@@SuperMuchonacho Right. But often times that's a rented virtual machine.
You could have a backup copy of you ssh key somewhere else that you could import onto another machine and use to login.
@@Ebbzzor a lot of providers have a login console/shell on the management website
Can someone explain tp me, when he created a vm, how did he got that password? Let's say, I instaled any linux distro as a vm, and I know it has openssh client.. where can I find a password for that system?
Haven't finished the video yet, but your authorized_keys file can't be allowed to be read by other users or it won't work.
why is the brim of your hat so bent? it almost does a full 180
I would use an ed25519 key with a password, these days there is no excuse to not have a good secure password and keep it safe.if you need to use multiple loggings with that key in one day you can load it into a key agent on Windows or Linux
my authorized_keys already has content. Should i append the public key to it??
Yes
brilliant. thanks
Thank you so much
Difference between .ppk, .pem, .pub ?
Google is your friend.
sir,
suppose,
i have a private key of my friend, i can log into that machine using ssh from my machine and by using that private key?
If that server has the public key for that private key in the authorized_keys file, yes.
I always adjust the port SSH uses on my servers to something between 64000 and 65000 as well as using SSH keys. Just one more little thing to keep things a bit safer.
It really doesn't. Just makes the port scanner take slightly longer and inconveniences actual users.
thanks for simplifiying
Great vid, follow it up with key management please!
❤❤❤
You can use ssh-audit github.com/jtesta/ssh-audit to auditing/hardening ssh server
Thanks EM. i had already enabled public/private keys on my home servers but was a bit concerned about disabling the password logins (for reasons you have explained)..... i guess there is no reason to keep it on :)
The backup plan is always serial console access. Most cloud servers support this and if you have physical access it's supported as well.
Install fail2ban to block SSH spammers.
You can also use iptables to throttle connection attempts from source IPs. You really can't go wrong with that.
can i buy you a cup of coffee?
Use 2FA as an alternative.
Binod here ?
huge fan. plaease give shoutout
First View 🤣
You shouldn't be telling people this is more secure as it is not. Using this with a password would be much more secure and is advisable always. Use passwords people. Engineer Man is only doing this for a specific purpose of automation, which is not best practice.
I didn't say it was more secure, I simply said I need to automate things and thus I can't use a password. People are free to choose.
How is private key less secure than a password?
After I wrote my comment I realized I wasn't sure if he meant the passwords on the keys themselves or passwords to the server.
i am first to comment
:)