Master SSH: Key Generation, Secure Connections, and Hardening Tips

This guide explains SSH fundamentals, including key pair generation with ed25519, adding public keys to servers, establishing secure connections, the full SSH handshake process, common permission pitfalls, disabling password logins, and practical monitoring and alerting techniques for Linux systems.

Open Source Linux
Open Source Linux
Open Source Linux
Master SSH: Key Generation, Secure Connections, and Hardening Tips

Secure Shell (SSH) is an encrypted network protocol at the application layer. OpenSSH is the most popular implementation and is the default component in many operating systems.

Remote operations: ssh, scp, sftp Key management: ssh-add, ssh-keysign, ssh-keyscan, ssh-keygen Server side: sshd, sftp-server,

ssh-agent

Using SSH to connect to a server

1. Generate a key pair on the client

Recommended key type is ed25519, which produces shorter keys with higher security and performance than RSA.

# - a KDF (Key Derivation Function) iteration count default: 16 to prevent brute‑force
# - t type
# Ubuntu 22.04 default: RSA 3072; Mac OS default: ED25519 256

# - C comment, can include creation date for periodic key rotation
ssh-keygen -a 256 -t ed25519 -C 'Brandon+2025-01@MacBook'
# You can accept defaults for path and passphrase

The key pair is created under ~/.ssh.

.
├── [ 411]  id_ed25519
├── [  98]  id_ed25519.pub

# Private key must be kept secret
cat id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

# Public key ends with .pub
cat id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJG0L1wkkEXC9Wyni9XTnxyLIt/... Brandon+2025-01@MacBook

2. Add the public key to the server

Append the client’s public key to ~/.ssh/authorized_keys on the server, one key per line. You can also use ssh-copy-id:

ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]

3. Connect from the client

# Login as user@host
ssh [email protected]

# First‑time connection prompt
The authenticity of host '192.168.16.13 (192.168.16.13)' can't be established.
ED25519 key fingerprint is SHA256:QawKK4qYtzv/WyymFO64Yby5oxo9bVYZu0TQRvLZsL8.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Confirm the fingerprint by typing yes. SSH stores the host key in ~/.ssh/known_hosts. Subsequent connections will warn if the fingerprint changes, indicating a possible man‑in‑the‑middle attack.

Obtain the server’s host key fingerprint

On the server, public keys are located in /etc/ssh/. Example for ed25519:

ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
256 SHA256:WykOLKFPEwaC42OM8B5EgFBS5RlgV4qvXxkCIxPE6h4 root@VM-12-5-ubuntu (ED25519)

If you cannot log in, you can retrieve the fingerprint remotely:

ssh-keyscan -t ed25519 -p 22 192.168.16.13 2>/dev/null | ssh-keygen -E sha256 -lf -
256 SHA256:WykOLKFPEwaC42OM8B5EgFBS5RlgV4qvXxkCIxPE6h4 root@VM-12-5-ubuntu (ED25519)

SSH connection process

The most critical part of a secure connection is key exchange. SSH uses asymmetric encryption to exchange a shared secret, then encrypts the session with symmetric algorithms.

Establish a TCP connection.

Negotiate SSH version (1 or 2).

Negotiate algorithms for encryption, key exchange, and MAC.

Perform key exchange (e.g., Elliptic Curve Diffie‑Hellman) to generate a shared secret.

Client verifies server identity by checking the host key fingerprint.

Server verifies client identity (public‑key or password).

Encrypted session is established.

During key exchange, both sides generate temporary key pairs, exchange public keys, and derive the shared secret, which is then fed to a KDF to produce encryption and integrity keys.

SSH also computes an exchange hash that the server signs with its private host key, ensuring the integrity of the negotiation.

SSH connection diagram
SSH connection diagram

Common issues

Session persistence

Removing a key from authorized_keys does not terminate existing sessions. You can kill a user’s SSH sessions with:

pkill -u $username sshd

Permission problems

Incorrect permissions on ~/.ssh or authorized_keys cause authentication failures. Recommended permissions are 700 for ~/.ssh and 600 for authorized_keys.

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Disabling password authentication

Set PasswordAuthentication no in /etc/ssh/sshd_config (or in a file under /etc/ssh/sshd_config.d) and restart the daemon:

sudo systemctl restart sshd

Monitoring logins

Commands such as who, w, last, and lastlog show current and historical login activity.

Alerting on logins

A Bash script placed in /etc/profile.d/ can send a DingTalk notification whenever a user logs in.

#!/bin/bash
# DingTalk webhook URL
dingtalk_webhook='https://oapi.dingtalk.com/robot/send?access_token=$token'

message=$(hostname && date '+%Y-%m-%d %H:%M:%S' && who && w | awk 'BEGIN{OFS="\t"}{print $1,$8}' | sed 's/\\/\\\\/g;s/
/\
/g;s/'\''/\\'\''/g')
curl -s -X POST -H 'Content-Type: application/json' -d '{"msgtype":"text","text":{"content":"ssh: '
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Open Source Linux
Written by

Open Source Linux

Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.