Securing remote ssh login's to a server bascially consists of the following steps:
- Generate a public/private key pair file.
- Place the public key on the server that you want access to.
- Use your ssh client to test key based authentication.
- Once this is successfully working, disable password based authentication on the server.
Now these steps seem pretty straight forward but as usual the devil, and a lot of your time, is in the details. let's detail this out here soas to avoid wasting time.
1. How you generate your public/private key pair depends upon what tools you are using. I run Windows clients so I'm going to point you to Putty, a freely available, GUI based ssh client for Windows. The help file actually details out how to generate the keys that you need so I'll not detail them here.
2. I will point out the most common source of this process is failure to create a property formatted authorized_keys file in your ~/.ssh directory on the server.
3. The best way to test and debug is to stop sshd on the server and then restart it with debugging turned on. Find the process id for sshd and kill it (kill -i PID). Now run sshd in debug mode. On FreeBSD this can be done with the command "/usr/sbin/sshd -ddd -f /etc/ssh/sshd_config". This will dump lots of debug output to the terminal so that you can troubleshoot any issues that you might run into.
4. The three key points to this step are the following lines in your /etc/ssh/sshd_config file:
- UsePAM no
The last point is specific to FreeBSD. You can find more details here:
http://blog.unixlore.net/2006/04/five-minutes-to-more-secure-ssh.html