How To Configure SSH Key-Based Authentication on a Linux Server
SSH Key-Based Authentication allows users to SSH into the server without entering their passwords. SSH keys are additionally more secure than passwords because the private key used to secure the connection is never shared. Private keys can also be encoded so their content can’t be read as easily. While SSH passwords are not required once keys are set up, passwords for decrypting the private keys locally are as yet required.
See Also:
1. How to Configure a Chroot Jail for SSH Access in Linux
2. Difference between Telnet and SSH in Linux
3. SSH Interview Questions and Answers
4. Allow/Deny logins via ssh server using PAM module
5. Block SSH Server Attacks Using DenyHosts in CentOS/RHEL 5/6/7
6. How to Enable SSH Login Email Alerts Notification
To improve the system security even further, you can enforce key-based authentication by disabling the standard password authentication.
PasswordAuthentication no
Generate SSH Key Pair:
We can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2.
# ssh-keygen -t rsa OR # ssh-keygen -t dsa
After this, you will be presented with a message similar to this:
Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: a6:1a:bf:51:f4:60:bc:53:96:ad:4a:08:41:a3:99:33 root@srv.techoism.com The key's randomart image is: +--[ RSA 2048]----+ | .+ | | + o . o | | E . = + . | | o . + * . | | . S o | | = o | | . o . | | + . | | . o. | +-----------------+
I have created the key using the passphrase. Also, you can create the key without the passphrase
Copying Public Key
Then we need to copy the public key to our remote server. Here I am choosing the default non-root user as remoteuser but you can use the root user also. Use below command to copy the public key.
# ssh-copy-id dennis@172.20.10.9
Sample Output:
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys dennis@172.20.10.9's password: Number of key(s) added: 1 Now try logging into the machine, with "ssh 'dennis@172.20.10.9'" and check to make sure that only the key(s) you wanted were added.
It will create the authorized_keys file at user .ssh directory.
Note: You can add the public key manually also using following step:
1. Copy the public key.
# cat /root/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDkUPtTzfssbKiH9G7UuzXuKUJrlon3iDNvDXFpGr+tT766sZaAkM/8TVKuKdT4srP/r0lJUoodevc2kIjUw9LqxM/oEqsH4qCFAu2YInf7cgOX9uVVfxDivhdQgt8gEOX4W198Epq7cwvKvGbxjONCSKVLyEcKMVajKmG20yfNvC9opTgdg47Xzo4WPxA/O89TDrxRfyBBawg4P7d4vYxgIEGJidBsKA1KxZpfhU/v2u2lFVd0YYiJaFZc63AQgLlsYe/8B6hHj2VgYHVH8DyxOv17k/bn9yNoJzu8dZnzUCtd3n2FmgfbJRC2W1wNxOLhlFTfiejloL2rDz2d20vB root@srv.techoism.com
2. Access the remote server and follow below steps to copy the public key in user home directory.
# su - dennis # mkdir .ssh # chmod 700 .ssh
Now, you can create or modify the authorized_keys file within this directory.
# vim authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDkUPtTzfssbKiH9G7UuzXuKUJrlon3iDNvDXFpGr+tT766sZaAkM/8TVKuKdT4srP/r0lJUoodevc2kIjUw9LqxM/oEqsH4qCFAu2YInf7cgOX9uVVfxDivhdQgt8gEOX4W198Epq7cwvKvGbxjONCSKVLyEcKMVajKmG20yfNvC9opTgdg47Xzo4WPxA/O89TDrxRfyBBawg4P7d4vYxgIEGJidBsKA1KxZpfhU/v2u2lFVd0YYiJaFZc63AQgLlsYe/8B6hHj2VgYHVH8DyxOv17k/bn9yNoJzu8dZnzUCtd3n2FmgfbJRC2W1wNxOLhlFTfiejloL2rDz2d20vB root@srv.techoism.com
And change the authorized_keys file permission.
# chmod 600 authorized_keys
Access Your Server Using SSH Keys
After completing the above procedure, you should be able to login to the remote host without the remote user’s password.
# ssh dennis@172.20.10.9
Now it will ask the passphrase which we set at the time of creating the public key.
We hope this article will be very helpful you.
Enjoy it!