Securing SSH Connections Using a Certificate on macOS or Linux

Written by

Andreas

in

, , , ,

Below you’ll find the individual steps to secure your SSH connection to a server using a certificate (SSH key).

1. Create an SSH Key

Open the terminal on your Mac (or Linux system) and run the following command to generate an SSH key pair:

Bash
ssh-keygen -t ed25519 -C "your_email@example.com"
  • The -t ed25519 parameter specifies ED25519 as the encryption algorithm.
  • The -C "your_email@example.com" adds a comment, such as your email address, to the key.

You’ll be prompted to choose a file in which to save the key. The default path is ~/.ssh/id_ed25519. It’s recommended to name the key after the server, e.g., ~/.ssh/servername.
You can leave the passphrase empty if you don’t want to add extra protection – otherwise, choose one.

2. Copy the Public Key to the Linux Server

After generating the key, upload the public key (~/.ssh/id_ed25519.pub) to your SSH host. Use the -i option to specify the key file:

Bash
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@hostname

This copies the public key into the ~/.ssh/authorized_keys file on the Linux server.

Replace username and hostname with your server’s username and hostname or IP address.

3. Manually Copy the SSH Key

If ssh-copy-id is not available, you can manually copy the key:

First, display your public key on the Mac:

Bash
cat ~/.ssh/id_rsa.pub

Copy the output and paste it into the file ~/.ssh/authorized_keys on the Linux server:

Bash
nano ~/.ssh/authorized_keys

Paste the key on a new line and save the file.

4. Test the Connection

Test the SSH connection, use the -i option to specify the filename for the key when connecting:

Bash
ssh -i ~/.ssh/id_ed25519 username@hostname

If everything is set up correctly, you should connect without being asked for a password.

5. Disable Password Login on the Linux Host

Important: Before disabling password login, make sure that SSH login using the key works — otherwise, you might lock yourself out of the server.

Edit the server configuration:

Bash
sudo nano /etc/ssh/sshd_config

Add or modify the following lines:

/etc/ssh/sshd_config excerpt
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
PermitRootLogin prohibit-password

Explanation:

  • PubkeyAuthentication yes: Enables login using SSH keys.
  • PasswordAuthentication no: Disables password login.
  • KbdInteractiveAuthentication no: Disables keyboard-interactive login (similar to password prompts).
  • PermitRootLogin prohibit-password: Allows root login only via SSH key.

Then restart the SSH service:

Bash
sudo systemctl restart ssh

Open a new terminal window and test the connection again before closing your current session.

6. Configure an SSH Profile on macOS

To simplify connection setup, you can define SSH profiles in a config file.

Edit the file ~/.ssh/config:

Bash
nano ~/.ssh/config

Example configuration:

~/.ssh/config excerpt
Host hostname
    Hostname host.domain.com
    User username
    IdentityFile ~/.ssh/id_ed25519
    ServerAliveInterval 15
    ServerAliveCountMax 12

Explanation:

  • Host: Defines the alias for the SSH connection. If you use an alias, add Hostname host.domain.com as the actual target.
  • User: The username used to log in to the server — avoids typing it each time.
  • IdentityFile: Path to your private SSH key, which must match the public key uploaded to the server.
  • ServerAliveInterval: Interval (in seconds) for sending keep-alive signals to the server to prevent disconnection.
  • ServerAliveCountMax: Number of failed keep-alive responses allowed before the client disconnects. Multiply by ServerAliveInterval to determine the total timeout.

Comments

Leave a Reply

More posts