{"id":18883790,"url":"https://github.com/101t/ssh-like-a-boss","last_synced_at":"2026-01-27T14:31:44.061Z","repository":{"id":84533890,"uuid":"268871942","full_name":"101t/ssh-like-a-boss","owner":"101t","description":"Set SSH Key Like A Boss!!","archived":false,"fork":false,"pushed_at":"2020-06-04T06:24:18.000Z","size":243,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-05-24T00:09:35.830Z","etag":null,"topics":["security","ssh","ssh-agent","ssh-key"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/101t.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-06-02T17:57:23.000Z","updated_at":"2021-08-08T21:02:29.000Z","dependencies_parsed_at":null,"dependency_job_id":"2a9b47ee-f96e-4ccc-b6ba-3ea69095770c","html_url":"https://github.com/101t/ssh-like-a-boss","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/101t/ssh-like-a-boss","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/101t%2Fssh-like-a-boss","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/101t%2Fssh-like-a-boss/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/101t%2Fssh-like-a-boss/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/101t%2Fssh-like-a-boss/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/101t","download_url":"https://codeload.github.com/101t/ssh-like-a-boss/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/101t%2Fssh-like-a-boss/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28815047,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-27T12:25:15.069Z","status":"ssl_error","status_checked_at":"2026-01-27T12:25:05.297Z","response_time":168,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["security","ssh","ssh-agent","ssh-key"],"created_at":"2024-11-08T07:09:04.965Z","updated_at":"2026-01-27T14:31:44.056Z","avatar_url":"https://github.com/101t.png","language":null,"readme":"\u003cp align=\"center\"\u003e \n\u003cimg src=\"static/ssh-key.png\" alt=\"SSH-Key\" \u003e\n\u003c/p\u003e\n\nHow to Lock Down Your SSH Server\n--------------------------------\nSSH, which stands for Secure Shell, isn't very secure by default, option for basic password authentication with no other limits. If you really want to lock down your server, you'll neet to do more configuration.\n\n## Table of Contents\n* [Don't Allow Password Logins - Use SSH Keys](#dont-allow-password-logins---use-ssh-keys).\n* [Generate SSH Keys](#generate-ssh-keys).\n* [Disable SSH Password Login](#disable-ssh-password-login).\n* [Don't Allow Root Login](#dont-allow-root-login).\n* [Set Up two-factor authentication](#set-up-two-factor-authentication).\n* [General Issues](#general-issues).\n\n\n## Don't Allow Password Logins - Use SSH Keys\n\nThe First thing to do is get rid of password authentication completely and switch to using SSH keys. SSh keys are a form of public key encryptionl you have a public key that acts like username, and a private key that acts like password (except this password is 2048 characters long). Your private key is stored on your dis, but is encrypted with a passphrase and ssh-agent, when you go to SSH into a server, instead of asking for password, the ssh-agent connects to the server using ssh keys.\n\n\u003e Even if you're already using SSH keys, you'll still want to ensure that password logins are turned off, as the two aren't mutually exclusive.\n\n## Generate SSH Keys\n\nYou can generate a new SSH key using the `ssh-keygen` utility, installed by default UNIX systems, also you may pass the file name `ubuntu_srvr`.\n\n```sh\nssh-keygen -f ubuntu_srvr\n...\n[ENTER]\n[ENTER]\n[ENTER]\n```\nThis will ask you for a passphrase to encrypt the local key file with. It is not used for authentication with the server, but should still be kept secret.\n\n`ssh-keygen` will save your private key in `~/.ssh/ubuntu_srvr`, and will alose save you public key in `~/.ssh/ubuntu_srvr.pub`. The private key stays on your hard drive, but the public key must be uploaded to the server so that the server can verify your identity, and verify that you have permission to access that server.\n\nThe server keeps a list of authorized users, usually stored in `~/.ssh/authorized_keys`, you can add your key file manually to this file, or you can use the `ssh-copy-id` utility:\n\n```sh\nssh-copy-id -i ~/.ssh/ubuntu_srvr.pub user@ip_address\n```\nReplace user@host with yout own username and server hostname, you'll be asked to sign in with your old password once more, after which you shouldn't be prompted for it again, then you can disable password sign-in.\n\n## Disable SSH Password Login\n\nNow that you can access the server with your keys, you can turn off password authentication altogether, make sure that key-based authentication is working, or you'll be locked out of server.\n\nOn the server, open up `/etc/ssh/sshd_config` in you terminal editor, and search for the line that starts with `PasswordAuthentication`, uncomment it and change \"yes\" to \"no\"\n\n```sh\nPasswordAuthentication no \n```\n\nThen restart `sshd` with:\n\n```sh\nsystemctl restart sshd\n```\nNow you shoud be forecd to reconnect, and if your key file is wrong, you won't be prompted for a password.\n\nYou can also force **public key-based** authentication, which will block all other authentication methods by add the following lines to `/etc/ssh/sshd_config`:\n```\nAuthenticationMethods publickey\nPubkeyAuthentication yes\n```\nthen restart `sshd`.\n\n## Don't Allow Root Login\n\nInstead, make a new user and give that user sudo privilege. this effectively is the same thing but has one major difference: potential attackers will need to know your user account name to even begin attacking your server, because it won't be as simple as root@host.\n\nAside from security, it's generally good Unix policy to not be logged in as `root` all the time, because `root` doesn't create logs and doesn't prompt when accessing protected resources.\n\nCreate a new user on your SSH server:\n\n```sh\nadduser myusername\n```\nSet a password for that user\n```sh\npasswd myusername\n```\nYou won't be logging in with this password because you'll still be using SSH Keys, but it is required. Ideally make this different from your root password. Then add this user to `/etc/sudoers` to give admin permissions:\n\n```sh\necho \"myusername ALL=(ALL) NOPASSWD:ALL\" \u003e\u003e /etc/sudoers\n```\nSwitch to that user with `su myusername`, and verify that you can switch back to the root user with sudo su (which doesn't require root's password), if you can, you have sudo access.\n\nNow you'll want to block root login, in `/etc/ssh/sshd_config`, you will set:\n```\nPermitRootLogin no\n```\nthen restart `sshd` and server should block all requests to log on as `root`.\n\n## Set Up two-factor authentication\nThis is certainly overkill, but if you're paranoid about someone nabbing your private SSH keys, you caon configure SSH server to use 2FA.\n\nThe easiest way to do this is to use [Google Authenticator](https://hackertarget.com/ssh-two-factor-google-authenticator/) with an Android / iOS device, though SSH supports many two factor methods, with Authenticator App, you'll be given a QR code which you can scan from the Authenticator mobile App to link your phone to the server, and you'll also be given a few backup codes for recover in the event your phone is lost, do not store these codes on your main machine, otherwise it's not really two factor.\n\n## General Issues\n\n* ssh-copy-id not working Permission denied (publickey).\nEdit ssh config:\n```\nsudo nano /etc/ssh/sshd_config\n```\nChange this line:\n```ini\nPasswordAuthentication no\n```\nto\n```ini\nPasswordAuthentication yes\n```\nRestart ssh daemon:\n```sh\nsudo systemctl restart sshd\n```\nDo ssh-copy-id:\n```sh\nssh-copy-id someuser@\u003cstatic-ip\u003e\n```\n\u003e Note: do not forget change to `PasswordAuthentication no` and restart ssh again to prevent user/pass login.\n\nSee also [SSH Agent Forwarding](SSH-AGENT-FORWARDING.md)","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F101t%2Fssh-like-a-boss","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F101t%2Fssh-like-a-boss","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F101t%2Fssh-like-a-boss/lists"}