SSH communicates with the server in Linux. SSH public key authentication is vital in connecting to a Linux system without compromising the private key. Not only it saves from the hassle of creating passwords, but it also safeguards servers from brute-force attacks.
This guide will explain how to set up SSH Authentication keys using OpenSSH. You will need the OpenSSH client and server to set up a public key-based authentication system. If you implement the keys correctly, you can have a fast and secure way of accessing the server. To learn more about SSH, read the details given on Wikipedia.
What is SSH Public Key Authentication?
SSH public key authentication is the process of logging into a secure shell account. This type of account uses a cryptographic key instead of a password. This authentication mechanism provides several benefits to developers, such as permitting multiple developers to log into the system without sharing the password.
Why SSH Public Key Authentication?
Public key authentication provides more security over simple passwords. It provides security that the strongest password cannot achieve. SSH has a public-key mechanism that frees the user from remembering complicated passwords. a
In SSH, the user creates an SSH key pair for themselves. This key pair includes a public key and a private key. You copy the public key (also named id_rsa) to the server and use it to encrypt the data. The data can only be decrypted by the user who has the corresponding private key. These keys are also known as authorized keys.
In contrast to public keys, a private key, usually named id_rsa.pub, stays with the user only. You should never distribute this key to anybody nor share it. Private key acts like a user’s identity. They are also called identity keys.
How Does Public SSH Key Authentication Work?
Public and private keys play a crucial role in the security system. The system consists of a private key, a public key, and an authentication algorithm.
If something is encrypted with the public key, you can only decrypt it with the private key and vice-versa.
Moreover, the authentication algorithm is running in the background to keep SSH secure. Authentication works on two principles: signed communication and verification of communication.
SSH public key setup works like this:
- Prepare SSH public keys
- Copy the SSH public key to your server
- Authenticate to your server using SSH key
- Disable password authentication on the server
Step 1: Prepare SSH Public Keys
To get started with SSH authentication keys, first, create a hidden folder in your home directory using mkdir command.
mkdir -p ~/.sshSecondly, change the directory permission to your account only by using the chmod command.
Chmod 700 ~/.sshNow to generate a keypair, type:
ssh-keygen -t rsaIt will give an output similar to this:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:CAjsV9M/tt5skazroTc1ZRGCBz+kGtYUIPhRvvZJYBs username@hostname
The key's randomart image is:
+---[RSA 3072]----+
|o ..oo.++o .. |
| o o +o.o.+... |
|. . + oE.o.o . |
| . . oo.B+ .o |
| . .=S.+ + |
| . o..* |
| .+= o |
| .=.+ |
| .oo+ |
+----[SHA256]-----+
For keyphrase, type a new name or press enter for the default name. The recommendation is to use the default name.
The execution of this command will create two files:
- .ssh/id_rsa – contains private key.
- .ssh/id_rsa.pub – contains a public key.
Step 2: Copy the SSH Public Key to Your Server
The next step is to copy the public SSH key to the server. To perform this step, execute the ssh-copy-id command:
ssh-copy-id -i ~/.ssh/id_rsa.pub user@serverThis command will require a remote host where you would connect to and the user account where you will store the public SSH key.
Instead of user@server, type your username and server address where the key authentication will be used.
If you saved the key pair using a different name and location, replace the path with your key name.
You will see the output similar to this:
The output shows that the computer has not recognized the remote host; type yes and press enter key. The command will then scan the local account to look for id_rsa.pub. It will then prompt for the password of the remote account as shown below:
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Here, you will type your password. The password won’t be visible, but you will write it anyway. After you press enter key, it will show the output similar to this:
Step 3: Authenticate to Your Server Using SSH Keys
The third step is to disable password authentication on the server. To achieve this, try to login to the remote host using the command:
ssh username@remote_hostMake sure that you replace username and remote_host with your own username.
After that, it will prompt you to enter the passphrase.
At this stage, you will have to enter the passphrase at every login if you supplied the passphrase at the time of key creation; otherwise, you will log in automatically.
To avoid this, you can save your passphrase by executing the following command:
ssh-agent $BASH
ssh-add ~/.ssh/id_rsaIf you saved the private key at another location instead of the default location, specify it when typing the key.
Step 4: Disable Password Authentication on the Server
After you have tested and configured the SSH public key, the next step is to disable the password authentication for SSH to avoid brute-force attacks. Since you set up the SSH successfully, the password authentication mechanism is still active, implying that the server is exposed to the attack.
Before completing this step, make sure you have access to the root folder or use an account with sudo privileges.
Firstly, open the SSH file by executing the following command:
sudo nano /etc/ssh/sshd_configSecondly, type “no” in password authentication.
PasswordAuthentication noAfter that, enable public authentication.
PubkeyAuthentication yesNow to restart the SSH server, use the command systemctl as shown below:
sudo systemctl restart sshFinally, your public SSH key authentication system is up and running.
In conclusion, these steps will enable a properly configured SSH-based key authentication system on the server. It is crucial to keep SSH private keys secure. Hence, it is important to keep the private key encrypted with the passphrase and send the public key to the server.
