I am new to this so please dumb this down a little for me.

I use OSX locally, Ubuntu server for my remote host on Linode. And to my understanding, I can use ssh-keygen -b 4096 locally, to generate two files:

~/.ssh/id_rsa and ~/.ssh/id_rsa.pub

And then on my server I run mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/ to create the .ssh folder and give it recursive read/write/execute privileges for the "file owner" (whatever that is, according to the chmod wiki).

Then I call

scp ~/.ssh/id_rsa.pub [email protected]:~/.ssh/authorized_keys

Which I guess uses ssh protocol to upload the public key to the server in a newly-created authorized_key file in the server's .ssh folder I just created.

So I assume this means the public file goes on the server, whereas both the public and private file reside on my local machine.

Now let's say I edit my /etc/ssh/sshd_config file where I can mess with PermitRootLogin, PasswordAuthentication, and ChallengeResponseAuthentication.

My questions:

1. Should I be disabling root login? Should I set PermitRootLogin to no or to without-password? Should I be disabling all passwords and using keys only, period? What about PasswordAuthentication and ChallengeResponseAuthentication?




2. Is it safe to have the private and public key files on my local machine? Should I be deleting the public one and only holding onto the private one?




3. If I am only relying on the key, doesn't this mean I am now exposed to a new weakness: Someone getting into my machine and therefore getting access to my key file?