When using a VPS in Japan, security and access efficiency are key concerns. Compared to traditional username and encrypted login methods, SSH key login offers greater security and convenience. SSH key login is also commonly used in production environments and development and operations. SSH keys are an asymmetric encryption mechanism based on public and private keys. They mitigate the risk of password brute force attacks and enable password-free automated login, making them suitable for frequent remote operations. To ensure a smooth process for enabling SSH key login on a VPS in Japan, the following section will cover environment preparation, key generation, server configuration, client login, and security hardening.

First, you need to generate a key pair on the client. Different operating systems require different tools, but in most Linux and macOS environments, you can directly use the ssh-keygen command. On Windows, you can use PuTTYgen or the built-in OpenSSH tool. For example, the command to generate a key in Linux or macOS is as follows:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

In the above command, -t rsa specifies an RSA key type, -b 4096 specifies a 4096-bit key length, and the -C option adds a comment to the key for easy identification. After executing the command, the system will prompt for a save path, typically ~/.ssh/id_rsa by default. A corresponding public key file, id_rsa.pub, will also be generated. Users can set a passphrase for the private key to further enhance security.

In Windows, if using PuTTYgen, click the "Generate" button to generate the key and save both the private and public key files. If using OpenSSH in Windows 10 or later, the command is almost identical to the Linux command and can be executed in PowerShell.

After generating the key pair, you need to upload the public key to the Japan VPS server. Assuming the server's IP address is 192.168.0.10 and the username is root, you can use the ssh-copy-id command to upload the public key:

ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.0.10

After executing this command, you will be prompted to enter a passphrase. Once completed, the public key will be automatically written to the server's ~/.ssh/authorized_keys file. If your client doesn't support ssh-copy-id, you can manually copy the public key file contents and add it to the designated file on the VPS server.

To manually log in to the VPS using the password:

ssh root@192.168.0.10

Then, create the .ssh directory on the server and set appropriate permissions:

mkdir -p ~/.ssh
chmod 700 ~/.ssh

Next, edit the authorized_keys file and paste the public key:

nano ~/.ssh/authorized_keys

Save and set permissions:

chmod 600 ~/.ssh/authorized_keys

At this point, SSH key authentication is configured.

To test the client login, you can directly execute:

ssh root@192.168.0.10

If the private key is stored in the default path and there is no passphrase, the login will be direct, without the need to enter a password. If the private key is stored elsewhere, you can specify the private key file:

ssh -i ~/.ssh/custom_id_rsa root@192.168.0.10

If a passphrase is set for the private key, you will be prompted to enter it each time you connect. You can use ssh-agent to cache the key to avoid frequent key entry. To enable ssh-agent, do the following:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa

This will prevent you from having to repeatedly enter the passphrase during the current session.

To further improve security, disable password login in the server's SSH configuration file, allowing only key login. Edit the configuration file:

nano /etc/ssh/sshd_config

Find and modify the following configuration:

PasswordAuthentication no
PermitRootLogin prohibit-password

PasswordAuthentication no disables password authentication, while PermitRootLogin prohibit-password restricts the root account to key authentication only. After completing the modification, restart the SSH service:

systemctl restart sshd

Before performing this step, confirm that key authentication is working properly to avoid server connection failures due to configuration errors.

In addition to the basic configuration, you can also perform some security hardening measures. For example, change the default port 22 to a custom port:

Port 2222

and allow connections to the new port in the firewall. Alternatively, use Fail2ban to limit incorrect attempts and prevent brute force attacks. To install and start Fail2ban:

apt-get install fail2ban -y
systemctl enable fail2ban
systemctl start fail2ban

These measures can further reduce the risk of attacks.

In a multi-user environment, generate a separate key pair for each user and manage the authorized_keys file on the server to ensure privilege separation. To revoke a user's access rights, simply delete the corresponding public key. For scenarios requiring bulk management, you can use configuration management tools such as Ansible or SaltStack to automatically distribute public keys to multiple Japanese VPS servers.

Finally, it's important to emphasize the security of your private key. Private key files must not be leaked or disclosed without authorization. It's recommended that you properly store them and avoid transmitting them through insecure channels. For critical business systems, it's recommended to enable a key passphrase and utilize multi-factor authentication to further enhance overall security.

In summary, the complete process for configuring SSH key login on a Japan VPS includes generating a key pair on the client, uploading and configuring the public key to the server, testing password-free login, modifying the SSH configuration to disable password authentication, and implementing security hardening measures. SSH key authentication not only improves remote access security but also increases login efficiency, making it a crucial foundational step for both businesses and individuals managing a Japan VPS.