How To Enable Key Based Authentication in SSH

SSH supports different types of authentication such as Password-based authentication and Private key-based authentication. In this article, we will look at how to enable key based authentication in SSH.


How To Enable Key Based Authentication in SSH

Here are the steps to enable key based authentication in SSH.


1. Install Open SSH

You need openssh-client on your client machine to configure key based authentication in SSH. It is installed in most Linux distributions. However, if it is not present in your client’s Linux system, run the following commands to install it.

CentOS/Fedora/RHEL

$ sudo yum -y install openssh

Ubuntu/Debian

$ sudo apt-get -y install openssh-client

Also read : How to Run Cron Job every 5,10,15 minutes


2. Generate Key Pairs

Run the following command to generate public/private key pairs.

$ ssh-keygen

You will be prompted to enter a passphrase. You can enter yes/no depending on your requirement. If you enter yes, then you will need to enter the passphrase for authentication.

$ ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/centos/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/centos/.ssh/id_rsa.
    Your public key has been saved in /home/centos/.ssh/id_rsa.pub.
    The key fingerprint is:
    a6:d6:61:a6:83:0a:ba:8a:ed:bd:6a:d7:4f:cc:ae:75 centos@ip-172-31-23-73
    The key's randomart image is:
    +--[ RSA 2048]----+
    |                 |
    |                 |
    |                 |
    |                 |
    |        S        |
    |     . X .       |
    |.   ..= * E      |
    |oo.o...= .       |
    |*+=oo..oo        |
    +-----------------+

It is recommended that you enter passphrase so that even if someone gets hold of your private key, they will not be able to log into your system without entering the passphrase.

The above command will generate private key file id_rsa and public key file id_rsa.pub and store them in .ssh folder.

Also read : How to Use rsync Command in Linux


3. Copy Public Key to Remote Server

Next, you need to copy the public key at ~/.ssh/id_rsa.pub to your remote Linux server as ~/.ssh/authorised_keys

There are multiple ways to copy public key to remote server. We will use ssh-copy-id command that is installed along with openssh-client. Run the following command to copy public key to remote server. Replace root with your username, and server-ip-addr with your remote server’s IP address.

ssh-copy-id root@server-IP-addr

It will say that your host is not authenticated, and ask you whether to continue. Type yes and hit enter.

$ ssh-copy-id root@53.36.153.13
    The authenticity of host '53.36.153.13 (53.36.153.13)' can't be established.
    ECDSA key fingerprint is 20:09:1b:a8:65:18:78:ab:56:cd:21:2f:24:ed:b1:74.
    Are you sure you want to continue connecting (yes/no)? yes

Next, you will need to enter your username’s password for remote server. ssh-copy-id will scan public key and automatically enter public key to remote server.

You will see output similar to the following.

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@53.36.153.13's password:
Number of key(s) added: 1

Also read : How to Enable Password based Authentication in SSH


4. Configure Key Based Authentication in SSH

Log into SSH with the following command from your client. Replace root with your username, and server-ip-addr with your remote server’s IP address.

ssh root@server-IP-address

If you have added a passphrase to your public/private key file, then you will be asked for that passphrase.

Then SSH will automatically log you in using private key and key-based authentication.

However, you will still be able to log into SSH using only password as before. To disable password based authentication and enforce only key based authentication, edit default SSH configuration file

$ sudo vi /etc/ssh/sshd_config

Look for the following line

PasswordAuthentication yes

and change it to

PasswordAuthentication no

Also read : How to Enable Multi-Factor Authentication in SSH


5. Restart Apache Server

Restart Apache server to apply changes.

CentOS/Fedora/RHEL

$ systemctl restart sshd

Ubuntu/Debian

$ service ssh restart

It is recommended that you change the permission of .ssh folder so that no one else can access it.

chmod -R 600 ~/.ssh

Also, create a backup of your public key

cp ~/.ssh/id_rsa ~/.ssh/login_key

You can also login using this new key.

ssh -i ~/.ssh/login_key root@server-IP-address

Leave a Reply

Your email address will not be published. Required fields are marked *