SSH supports different types of authentication such as Password-based authentication and Private key-based authentication. In this article, we will look at how to enable key based authentication in SSH.
How To Enable Key Based Authentication in SSH
Here are the steps to enable key based authentication in SSH.
1. Install Open SSH
You need openssh-client on your client machine to configure key based authentication in SSH. It is installed in most Linux distributions. However, if it is not present in your client’s Linux system, run the following commands to install it.
sudo yum -y install openssh
sudo apt-get -y install openssh-client
Also read : How to Run Cron Job every 5,10,15 minutes
2. Generate Key Pairs
Run the following command to generate public/private key pairs.
You will be prompted to enter a passphrase. You can enter yes/no depending on your requirement. If you enter yes, then you will need to enter the passphrase for authentication.
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/centos/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/centos/.ssh/id_rsa. Your public key has been saved in /home/centos/.ssh/id_rsa.pub. The key fingerprint is: a6:d6:61:a6:83:0a:ba:8a:ed:bd:6a:d7:4f:cc:ae:75 centos@ip-172-31-23-73 The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | | | S | | . X . | |. ..= * E | |oo.o...= . | |*+=oo..oo | +-----------------+
It is recommended that you enter passphrase so that even if someone gets hold of your private key, they will not be able to log into your system without entering the passphrase.
The above command will generate private key file id_rsa and public key file id_rsa.pub and store them in .ssh folder.
Also read : How to Use rsync Command in Linux
3. Copy Public Key to Remote Server
Next, you need to copy the public key at ~/.ssh/id_rsa.pub to your remote Linux server as ~/.ssh/authorised_keys
There are multiple ways to copy public key to remote server. We will use ssh-copy-id command that is installed along with openssh-client. Run the following command to copy public key to remote server. Replace root with your username, and server-ip-addr with your remote server’s IP address.
It will say that your host is not authenticated, and ask you whether to continue. Type yes and hit enter.
$ ssh-copy-id firstname.lastname@example.org The authenticity of host '188.8.131.52 (184.108.40.206)' can't be established. ECDSA key fingerprint is 20:09:1b:a8:65:18:78:ab:56:cd:21:2f:24:ed:b1:74. Are you sure you want to continue connecting (yes/no)? yes
Next, you will need to enter your username’s password for remote server. ssh-copy-id will scan public key and automatically enter public key to remote server.
You will see output similar to the following.
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys email@example.com's password: Number of key(s) added: 1
4. Configure Key Based Authentication in SSH
Log into SSH with the following command from your client. Replace root with your username, and server-ip-addr with your remote server’s IP address.
If you have added a passphrase to your public/private key file, then you will be asked for that passphrase.
Then SSH will automatically log you in using private key and key-based authentication.
However, you will still be able to log into SSH using only password as before. To disable password based authentication and enforce only key based authentication, edit default SSH configuration file
sudo vi /etc/ssh/sshd_config
Look for the following line
and change it to
Also read : How to Enable Multi-Factor Authentication in SSH
5. Restart Apache Server
Restart Apache server to apply changes.
$ systemctl restart sshd
service ssh restart
It is recommended that you change the permission of .ssh folder so that no one else can access it.
chmod -R 600 ~/.ssh
Also, create a backup of your public key
cp ~/.ssh/id_rsa ~/.ssh/login_key
You can also login using this new key.
ssh -i ~/.ssh/login_key root@server-IP-address