SSH public key authentication



Before getting started, we suggest you Learn Linux Basics and follow these precautions.

Updated: 2019-03-09
Created: 2010-01-27

This How-To will walk you through setting up public key authentication over SSH. Using key-based authentication instead of passwords means you don't have to give away system passwords. There are several benefits for doing this. For example, it can be used to automate authentication, or to enhance security by requiring a user-generated key in addition to a passphrase. Key-based authentication also simplifies the distribution and management of login credentials across several remote systems.

This How-To assumes OpenSSH is the SSH software installed on both the local client and remote system. Local client refers to the machine you're currently sitting at, and remote system is the machine at another location.

Step 1

As a regular user, we need to generate a public/private RSA key pair on the local client.

ssh-keygen -t rsa

Note: RSA is the algorithm we've chosen for public-key cryptography. Key strength of RSA is adjustable, and defaults to "twice" the key strength of DSA.

Step 2

Enter file in which to save the key. In this case we're saving to /home/username/.ssh/ and naming the key something identifiable.

/home/username/.ssh/linuxlookup_rsa

Step 3

Enter passphrase (empty for no passphrase). We strongly encourage you to use a passphrase, leaving this empty is not secure. Choose one that is memorable and strong, perhaps a favorite poem or quote.

Once completed, you should see something like this:

Generating public/private rsa key pair.
Your identification has been saved in /home/username/.ssh/linuxlookup_rsa.
Your public key has been saved in /home/username/.ssh/linuxlookup_rsa.pub.
The key fingerprint is:
2e:92:1d:e2:bb:6c:92:b7:9d:c4:f0:6c:cf:3d:ec:6a username@linuxlookup
The key's randomart image is:
+--[ RSA 2048]----+
|               |
|               |
|               |
|               |
|    o . S      |
|   . O o       |
|   .+ O ..     |
|  o.o* =LL.o   |
|   +=oo.+oo.   |
+---------------+

You should now have two files in your ~/.ssh directory, these are known as a key pair.

1. linuxlookup_rsa is our passphrase-encrypted Private Key.
2. linuxlookup_rsa.pub is our Public Key.

Step 4

Next, we need to install your public key in the remote system authorized_keys file.

The public portion of the RSA key pair must be copied to the remote system that will be accessed by the client. will use settings

ssh-copy-id -i ~/.ssh/linuxlookup_rsa.pub username@example.com

Step 5

Verify public key authentication is working by logging in to the remote system.

ssh username@example.com

From this point forward you will be prompted for the passphrase, not the system password.

Step 6

Public key authentication can prevent brute force SSH attacks, but only if all password-based authentication methods are disabled. Once public key authentication has been confirmed to be working, disable regular password authentication by editing /etc/ssh/sshd_config (sometimes /etc/sshd_config) and set the following option to no.

PasswordAuthentication no

Options

Use the following command if you ever want to change the current passphrase:

ssh-keygen -p

Be aware

As mentioned, the use of public key authentication is more secure than typical passwords. Neither the passphrase nor the private key are transmitted out of the client machine during the authentication process. However, this security can be lost if the private key is stolen. It is important that you store your private key only on a trusted system, never on a public workstation. Also, keep a back-up copy of your keys.