I am new to this so please dumb this down a little for me.
I use OSX locally, Ubuntu server for my remote host on Linode. And to my understanding, I can use ssh-keygen -b 4096
locally, to generate two files:
~/.ssh/id_rsa
and ~/.ssh/id_rsa.pub
And then on my server I run mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/
to create the .ssh folder and give it recursive read/write/execute privileges for the "file owner" (whatever that is, according to the chmod wiki).
Then I call
scp ~/.ssh/id_rsa.pub [email protected]:~/.ssh/authorized_keys
Which I guess uses ssh protocol to upload the public key to the server in a newly-created authorized_key
file in the server's .ssh
folder I just created.
So I assume this means the public file goes on the server, whereas both the public and private file reside on my local machine.
Now let's say I edit my /etc/ssh/sshd_config
file where I can mess with PermitRootLogin
, PasswordAuthentication
, and ChallengeResponseAuthentication
.
My questions:
Should I be disabling root login? Should I set
PermitRootLogin
tono
or towithout-password
? Should I be disabling all passwords and using keys only, period? What aboutPasswordAuthentication
andChallengeResponseAuthentication
?Is it safe to have the private and public key files on my local machine? Should I be deleting the public one and only holding onto the private one?
If I am only relying on the key, doesn't this mean I am now exposed to a new weakness: Someone getting into my machine and therefore getting access to my key file?