How to Secure SSH with Key-Based Authentication on Arch Linux

Securing remote access to your Arch Linux system is critical for maintaining its integrity and privacy. The default SSH configuration allows password authentication, which can be vulnerable to brute-force attacks or credential theft. A more secure alternative is key-based authentication, which uses cryptographic key pairs to verify a user’s identity. This method not only improves security but also enhances usability in automated environments.

In this guide, we’ll walk you through the process of securing SSH using key-based authentication on Arch Linux. We’ll cover everything from generating key pairs to disabling password authentication for SSH.

Table of Contents

• Table of Contents
• 1. Prerequisites
• 2. Understanding SSH Key-Based Authentication
• 3. Step 1: Install and Enable SSH
  • Install OpenSSH
  • Enable and Start SSH Service
• 4. Step 2: Generate SSH Key Pair
  • When prompted
• 5. Step 3: Copy the Public Key to the Arch Linux Server
  • Option A: Using ssh-copy-id (Recommended)
  • Option B: Manual Method
• 6. Step 4: Configure the SSH Daemon
• 7. Step 5: Disable Password Authentication
• 8. Step 6: Reload SSH Service
• 9. Step 7: Test SSH Access
• 10. Best Practices and Security Tips
  • Use a Strong Passphrase
  • Use a Key Agent
  • Backup Your Keys Securely
  • Set Idle Timeouts
  • Limit User Access
  • Restrict by IP (Optional)
• 11. Conclusion

1. Prerequisites

Before we begin, ensure you have the following:

• An Arch Linux server with openssh installed.
• A local Linux, macOS, or Windows (with WSL or PuTTY) machine to generate the key pair.
• A user with sudo privileges on the Arch Linux system.
• Root or administrative access to modify SSH settings.

2. Understanding SSH Key-Based Authentication

SSH key-based authentication relies on asymmetric cryptography, involving two keys:

• Private Key – Stored securely on the client machine. This should never be shared.
• Public Key – Uploaded to the server’s ~/.ssh/authorized_keys file.

When the client attempts to connect, the server checks if the client’s private key matches a stored public key. If they match, access is granted. This method eliminates the need for passwords and provides a strong defense against unauthorized logins.

3. Step 1: Install and Enable SSH

Most Arch Linux systems don’t have the SSH server (sshd) enabled by default. To install and start it:

Install OpenSSH

sudo pacman -S openssh

Enable and Start SSH Service

sudo systemctl enable sshd
sudo systemctl start sshd

You can verify it’s running with:

systemctl status sshd

4. Step 2: Generate SSH Key Pair

On your local machine (not the server), open a terminal and run:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Or, for a more secure modern alternative:

ssh-keygen -t ed25519 -C "your_email@example.com"

When prompted

• File to save the key: Press Enter to accept the default (~/.ssh/id_ed25519 or id_rsa).
• Passphrase: Optional but recommended. It encrypts the private key with an additional password.

This will generate two files:

• ~/.ssh/id_ed25519 – your private key.
• ~/.ssh/id_ed25519.pub – your public key.

5. Step 3: Copy the Public Key to the Arch Linux Server

There are several ways to do this:

Option A: Using ssh-copy-id (Recommended)

ssh-copy-id -i ~/.ssh/id_ed25519.pub username@server_ip

You’ll be prompted for your SSH password one last time.

Option B: Manual Method

If ssh-copy-id is not available:

1. Connect to the server:

ssh username@server_ip

2. Create .ssh directory (if it doesn’t exist):

mkdir -p ~/.ssh
chmod 700 ~/.ssh

3. Paste your public key into authorized_keys:

On your local machine, copy the key:

cat ~/.ssh/id_ed25519.pub

Paste it on the server into this file:

nano ~/.ssh/authorized_keys

4. Set proper permissions:

chmod 600 ~/.ssh/authorized_keys

6. Step 4: Configure the SSH Daemon

Open the SSH server configuration file:

sudo nano /etc/ssh/sshd_config

Ensure the following directives are set:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes   # We'll disable this later
ChallengeResponseAuthentication no
UsePAM yes

Save and exit.

7. Step 5: Disable Password Authentication

Once key-based login is confirmed to work, you can disable password authentication to prevent brute-force attacks.

Open the config file again:

sudo nano /etc/ssh/sshd_config

Change or add the following:

PasswordAuthentication no
ChallengeResponseAuthentication no

You may also consider:

PermitRootLogin no

Note: Don’t lock yourself out! Ensure key authentication works before doing this.

8. Step 6: Reload SSH Service

Apply the changes by restarting the SSH daemon:

sudo systemctl reload sshd

You can also use:

sudo systemctl restart sshd

To verify that password authentication is disabled:

sudo sshd -T | grep passwordauthentication

The output should show:

passwordauthentication no

9. Step 7: Test SSH Access

Open a new terminal session and connect to your server:

ssh username@server_ip

If you’re not prompted for a password (or only prompted for a passphrase if you set one), then key-based login is working correctly.

If you encounter any issues, check:

sudo journalctl -u sshd

And verify file permissions on:

• ~/.ssh should be 700
• ~/.ssh/authorized_keys should be 600
• Your user’s home directory should not be writable by others

10. Best Practices and Security Tips

Here are some additional recommendations for keeping your SSH access secure:

Use a Strong Passphrase

Encrypt your private key with a strong passphrase to protect it even if your machine is compromised.

Use a Key Agent

Use ssh-agent or gpg-agent to manage your passphrases and avoid entering them repeatedly.

Backup Your Keys Securely

Keep a backup of your private key in a secure, offline location (e.g., encrypted USB drive).

Set Idle Timeouts

Add to /etc/ssh/sshd_config:

ClientAliveInterval 300
ClientAliveCountMax 2

This disconnects idle sessions after 10 minutes.

Limit User Access

Only allow specific users to connect via SSH:

AllowUsers username1 username2

Restrict by IP (Optional)

Use firewall rules or tcp_wrappers to limit access to your server based on IP addresses.

11. Conclusion

Securing SSH with key-based authentication on Arch Linux is a straightforward yet powerful step in hardening your system’s security. It offers a significant improvement over traditional password-based logins by preventing common attack vectors like brute-force attempts and credential stuffing.

By following the steps outlined in this guide, you’ve not only implemented a best-practice method for secure SSH access but also prepared your system for more advanced configurations like automation, Ansible provisioning, or GitOps workflows.

Remember, security is not a one-time action but a continuous process. Regularly review your SSH configurations, monitor access logs, and keep your system updated.

If you’re looking to go even further, consider combining key-based authentication with tools like Fail2Ban, UFW, or 2FA for SSH using PAM modules for an even more robust security setup.