Setup SSH Key Based Authentication on Linux
By Adarsh Sojitra on July 21st, 2019
SSH stands for Secure Shell. It is a protocol we use to connect with our server for management of the server. SSH uses few methods for authentication. The most commonly used method for authentication is through Password. However, It’s not the most secure way to connect with the server over SSH. There is one more method called SSH key-based authentication which is the most secure of all the methods of authentication for SSH.
In this short tutorial, we will see what is SSH key-based authentication and how do we set up this authentication method on our Linux servers. It might take some time to wrap your head around this method if you are using it for the first time. However, if you will read everything written in this article, you will understand this authentication method from the root.
So, Let’s first understand how it works.
How does the SSH key-based authentication works?
In this type of authentication, we do not use plain passwords to verify our identity. However, We use two cryptographically secure keys to verify our identity. There are two keys in this method of authentication that plays a role, One is called the private key and another one is called the public key.
The private key is stored on the local computer all the time. And the public key is stored on the remote server. You can share the public key with anyone so that they can set it up for you on the remote server. But you cannot share your private key as sharing the private key means sharing your password. You should store your private key securely on your local computer.
The messages encrypted using the public key can be decrypted only by the associated private key. This way, the authentication is possible.
In short, to make the SSH keys work, we first have to create SSH keypair that contains a public key and a private key. Then, we have to store our public key on the remote server and private key on the local computer. While connecting to the server, we have to use our private key as the form of authentication instead of a plain password.
So, Let’s first create an SSH key pair.
Create SSH keypair
Creating SSH keypair is a very easy task. If you are on a Linux machine, execute the following command to create SSH keypair.
It will ask you some questions like the filename in which you want to store your public and private key. It will also ask you to enter and confirm the passphrase for your private key. Using passphrase is a good practice as it will encrypt your private key with a password. If you do not want to set a passphrase, just press the Enter key twice.
The final output of the
ssh-keygen command looks like the following image.
Generating public/private rsa key pair. Enter file in which to save the key (/home/iamauser/.ssh/id_rsa): testkey Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in testkey. Your public key has been saved in testkey.pub. The key fingerprint is: SHA256:pjSoUcv6HZlBhuBiSN+CDx6Sf0fwg/fNxRnjORaJO2w iamauser@iamauser The key's randomart image is: +---[RSA 2048]----+ | .. . .+. | |ooo..= .o.* | |==.o+.B . .O | |+o+o.B o oEo . | | .o.= = S.o. | | = o B | | o = | | . . . | | . . | +----[SHA256]-----+
Once the SSH keys are ready, we can copy our public key to the remote server. There are many methods to complete this task, However, We are going to use the easiest one available.
Copy SSH Key to the Remote Server
Copying SSH key to the remote server is easy. Basically, we just have to paste our public key inside the
~/.ssh/authorized_keys file. There is one program that we can use to complete this task in a single command. First, we will do it using the
ssh-copy-id command and then we will perform the same task manually.
Copy SSH key using ssh-copy-id
We can use the ssh-copy-id command to complete this task in a single command. Execute the following command to copy your public key to the remote server.
$ ssh-copy-id -i ~/path/to/public_key.pub username@ip_address
Do not forget to set the path to your public key, username and IP address of the remote server on which you want to set the key-based authentication. It will ask you to enter the password to authenticate.
Once done, it will show you the number of keys added to the server. The output of the command should look like the following.
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "testkey.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'email@example.com'" and check to make sure that only the key(s) you wanted were added.
If you can see the output just like the above-given text, your public key is set and you can now log in to your server using your private key instead of a password. Now, Let’s perform the same task manually (without using ssh-copy-id).
Copy Public Key Manually
If you do not want to use ssh-copy-id, you can use the following command to copy your public key from local computer to remote computer.
$ cat ~/path/to/public_key.pub | ssh username@ip_address "mkdir -p ~/.ssh && tee -a ~/.ssh/authorized_keys"
Do not forget to replace the path of your public key, Username and the IP address of the remote server. Once done, you will be able to login to your server without entering the password.
Conclusion: SSH key-based authentication is the most secure authentication method available in SSH. It is always recommended to use passphrase while creating SSH keys. The passphrase will add one more layer of security as it will encrypt your private key using the password. It means that you will have to enter the password while using the private key.
You can create multiple SSH keypairs for multiple servers but you can also use the same public key on multiple servers for authentication. So, this is how you can set up ssh key-based authentication on Linux machines. Let us know in the comment section if you need help setting up this method of authentication on your servers.