How To Configure SSH Public Key Authentication on Linux Server

How To Configure SSH Public Key Authentication on Linux Server. SSH, short for Secure Shell, is the most widely used and trusted network protocol used for securely logging into remote device such as servers and routers. All in all, it ensures encrypted data communications across devices and facilitates transfer of files over a network via the SCP protocol. Basically,  SSH works in a client server architecture where the SSH client initiates a connection to the SSH server where tasks are carried out.  There are two modes of authentication:

Two of the most widely used SSH authentication methods are: 

The most robust of these authentication methods is the Public Key authentication. Consequently, it offers greater protection of data unlike password authentication which is prone to security risks, in particular, brute force attacks. In this guide, we focus on SSH Public Key authentication and how to configure it.

What is a Public Key Authentication?

Equally, the public key is a cryptographic key that is copied to the remote server you connect to. It encrypts the message being sent to the remote server which is then decrypted by a user who holds a corresponding private key. As the name infers, the public key is copied or shared across multiple servers that you wish to connect to.

A private key is a counterpart to the public key. Generated alongside the public key and never to be shared with anyone. No copies of this key are to be distributed. The private key is proof of the user’s identity and only the user in possession of the key which corresponds to the public key copied on the remote server successfully authenticates it.

How SSH Key authentication works

As earlier stated, SSH Key authentication employs two keys for authentication. A public key for encryption and a private key for decryption.

During authentication, the user on the client side sends a connection request to the remote server. This sets off a challenge response sequence. Especially, the remote SSH server receives the request and uses the public key to encrypt the message and then sends it back to the client. The SSH client, upon receiving the encrypted challenge request, decrypts it using the associated private key and sends it back to the server, granting authentication. The challenge response sequence happens so fast and automatically between the SSH client to the remote server and no manual intervention is required on the user’s part.

Benefits of Using SSH Key authentication

Increased security during authentication

Security with public key authentication offers several secure public key algorithms for authentication keys including RSA, DSA, and ECDSA. These improve security and free users from the agony of always having to remember the username and password each time when logging in.

Addresses password vulnerabilities

Here, the SSH Key authentication eliminates such challenges and ensures only the user with the private key accesses the system.

Enables secure automation

Additionally, SSH Key authentication provides password less login to remote systems. In turn, this facilitates automation processes such as Ansible automation, which allows processes to be executed seamlessly on remote systems without password prompts.

Configure SSH Key Authentication on a Linux Server

Up next we configure Public key authentication on a Linux server. To accomplish this, we demonstrate it using the following lab setup.

Host machine:      IP: 194.195.216.42

 

Remote machine:  IP: 194.195.216.91

Using our setup, we login to the host machine and generate a key pair. Next, we copy the public key to the remote system and verify public key authentication.

Step 1: Generate SSH Keys

Once you are logged in to your host machine, generate an SSH key pair as shown.

				
					$ ssh-keygen
				
			

By default, the command generates a 2048-bit RSA key pair. For better security, you generate a 4096-bit RSA key pair using the -b 4096 option as shown.

				
					$ ssh-keygen -b 4096
				
			

The command walks you through a couple of prompts. First, you are prompted to specify the path to save the key pair. The default path is the ~/.ssh directory in your home directory which is okay. So press ENTER.

Next, you are prompted for a passphrase. Here’s you provide a passphrase or not. Evidently, it is an added layer of protection which requires you to type a password when connection to the remote host.  After, please provide a passphrase and confirm it. However,  If your end goal is to connect without any password, leave it blank.

Finally, details about the location of the key pair and fingerprint is printed on the terminal.

Step 2: Copy the Public Key to the Remote Server

The next step  is to copy the public key to the remote server. In order to do this, use the ssh-copy-id command:

				
					ssh-copy-id user@host-ip
				
			

Be sure to replace user with the remote user and host-ip with the remote server’s IP address. The command is:

				
					ssh-copy-id alex@194.195.216.91
				
			

If you are connecting for the first time, the system informs you that the host’s authenticity cannot be established and the ECDSA key fingerprint will be printed. To continue connecting, type ‘yes‘ and hit ENTER.

Following, the system scans for the public key that you generated in Step 1 and you are prompted for the remote user’s password. Type in the password and hit ENTER. After successfully copying the key, you see the notification that a single key has been added: Number of key(s) added: 1

Finally, you get instructions for logging in to the remote system.

Once the public key has successfully been copied on the remote server, a file called known_hosts is created in the ~/.ssh directory. Furthermore, this is a file that contains the SSH fingerprints of the remote hosts that you have connected to. This is basically the identity of the remote system.

Step 3: Login using SSH Key authentication

At this point, SSH public key authentication is enabled. To verify this, login to the remote server using SSH as shown.

				
					ssh alex@194.195.216.91
				
			

Once hit ENTER, you are in the remote user’s shell in the home directory without being prompted for a password. This is sure proof that SSH Key authentication has been configured.

On the remote system, the public key is saved in a file called authorized_keys, which is located in the ~/.ssh directory.  The file contains a list of public keys that identifies client systems that are allowed to connect to the server. View the file using the cat command:

				
					cat ~/.ssh/authorized_keys
				
			

Step 4: Disable Password authentication

Although we have successfully configured SSH Key authentication, password authentication is still enabled and someone can still login to the remote system from a different system. Since we have seen that password authentication is prone to brute force attacks, it’s prudent that you disable password authentication.

To do this, open the SSH configuration file using your preferred text editor.

				
					$ sudo nano /etc/ssh/sshd_config
				
			

Locate and modify the following line to look as shown.

				
					PasswordAuthentication no
				
			

Save the changes, then exit the editor. To effect the changes, restart the SSH service as shown.

				
					$ sudo systemctl restart ssh

				
			

Finally, password authentication has been disabled, and you only login using SSH public key authentication.

Thank you for reading article How To Configure SSH Public Key Authentication on Linux Server. We shall conclude the article now. 

How To Configure SSH Public Key Authentication on Linux Server Conclusion

Indeed, SSH Key authentication remains one of the most secure and reliable authentication methods. However caution should be taken not to disclose or share the private key with any user as this potentially compromises the security of your system. In this guide, we have demonstrated how to configure SSH Key authentication on a Linux server.

Fell free to explore our Linux Ubuntu content of our blog, by navigating here

Avatar for James Kiarie
James Kiarie

Hello everyone! My name is James, a certified Linux Administrator, and a tech enthusiast with over 5 years of experience in penning down high-quality guides on Linux and Cloud technologies. Outside work hours I enjoy working out, swimming, listening to music, and reading fiction novels.

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x