Secure Device Authentication

TL;DR

Using the same password on multiple devices is risky. This guide shows you how to improve security using SSH keys for authentication instead of passwords, making it much harder for someone to break into your systems.

Step-by-step Guide: Secure Device Authentication with SSH Keys

1. Understand the Problem
• Using the same password on multiple devices means if one device is compromised, all are.
• SSH keys provide a more secure way to authenticate without sending passwords over the network.
2. Generate an SSH Key Pair (on Device 1)

This creates two files: a private key (keep this secret!) and a public key (you’ll share this).

ssh-keygen -t rsa -b 4096

• You’ll be prompted for a file to save the key. The default (~/.ssh/id_rsa) is usually fine.
• It will also ask for a passphrase. Strongly recommend using one! This adds another layer of security even if your private key is stolen.
3. Copy the Public Key to Device 2

There are several ways to do this. The easiest (if you have password access) is `ssh-copy-id`:

ssh-copy-id user@device2_ip_address

• Replace user with your username on Device 2 and device2_ip_address with its IP address or hostname.
• You’ll be prompted for the password of Device 2 to allow the key transfer.
4. Alternative: Manual Public Key Copy (if ssh-copy-id isn’t available)
• On Device 1, display the public key:

  cat ~/.ssh/id_rsa.pub

• Copy the entire output of this command.
• On Device 2, open the file ~/.ssh/authorized_keys (create it if it doesn’t exist) with a text editor.

  nano ~/.ssh/authorized_keys

• Paste the copied public key into this file on a new line. Save and close the file.
5. Test the SSH Connection (from Device 1)

Try connecting to Device 2:

ssh user@device2_ip_address

• If you set a passphrase, you’ll be prompted for it. If everything is configured correctly, you should log in without being asked for the password of Device 2.
6. Disable Password Authentication on Device 2 (Important!)

This prevents attackers from trying to guess passwords.

• Edit the SSH configuration file on Device 2:

  sudo nano /etc/ssh/sshd_config

• Find the line PasswordAuthentication yes and change it to PasswordAuthentication no.
• Also, ensure that PubkeyAuthentication yes is set (it usually is by default).
• Save and close the file.
• Restart the SSH service:

  sudo systemctl restart sshd

7. Security Considerations
• Protect your private key! Never share it with anyone.
• Use a strong passphrase for your SSH key.
• Regularly review authorized keys on both devices to remove any unwanted entries.
• Consider using an SSH agent to avoid repeatedly entering your passphrase.