How to Use SSH key Authentication

Disclosure
Some of the links in this post are affiliate links and if you go through them to make a purchase I will earn a commission. Keep in mind that I link these companies and their products because of their quality and not because of the commission I receive from your purchases. The decision is yours, and whether or not you decide to buy something is completely up to you. Read more

Secure Shell supports various authentication mechanisms. The two most used methods are:

  • Password based authentication
  • Public SSH key authentication

In this article, we will discuss how to use Public SSH key authentication, which enables you to log in to your SSH server using a cryptographic key rather than a password.

Benefits of using public key authentication

  • Protect against brute-force attacks
  • Quick and easy to log in compared to password method
  • Allow multiple users to log in without sharing single password
  • Revoke a single user without affecting others

Setup public key based authentication

This tutorial covers how to setup public key based authentication on Unix-based client machine. We’ll discuss how to do this on Windows in future articles.

You need to generate a unique key pair which consists of a public key (on the server) and a private key (on the client) for each client machine.

Generating SSH key pair is done on the client machine, and then the public key is transferred to the remote server machine. However, it is possible to create the keys on the server and transfer them to the client machine. But this method is highly not recommended.

Also keep in mind that we are going to assume the server is running Linux-based OS, as most of the servers are running Linux nowadays.

The following steps will guide you through the process of configuring public key based authentication:

1- Check if you have existing SSH keys

Before generating new SSH key pair, you have to check if there is an existing key pair on your machine in the default location, otherwise they will be overwritten.

To check if existing key are present, run the following command:

$ ls -al ~/.ssh/id_*

If you see No such file or directory it means you don’t have an SSH key.

Otherwise, if it happened to be that you have a previous SSH keys that you need, you have to create a backup as we will discuss in the next step or you may skip if backup is of no concern.

2- Backup preexisting SSH keys

If there are old SSH keys in the default location and you planed to use them in the future, you have to back them up and keep them in a safe place before generating new one, as there is no way to retrieve lost private keys. But on the other hand public keys can be regenerated form corresponding private keys as we will talk about this at the end of this article.

To backup your old SSH keys use the following command:

$ mkdir key_backup 
$ cp id_rsa* key_backup

3- Generate new SSH key pair

To generate a new SSH key pair, use the command:

$ ssh-keygen -t rsa -b 4096 -C "any_comment_you_like"

-t specifies the type of key to be generated. -b specifies the number of bits in the key. -C to add a comment to the key.

After hitting Enter, it will prompt you to choose the location and name of the file to store the keys. The default location is preferred. However, you may need to change it according to your needs especially if you have not backed up keys already in the location and you don’t want to lose them. Press Enter to choose the default location.

ssh-keygen command

Next, you will be asked to type a passphrase. Using a passphrase means a password will be required to use the private key and it adds an extra layer of security. The most common practice is that private keys are generated without passphrase because this will be useful for automated processes. So, if you don’t want to add a passphrase just press Enter after leaving the prompt empty. Then do the same when it asks for passphrase confirmation.

passphrase confirmation

Now, your SSH key pair will be generated and a visual fingerprint will be drawn on the screen.

the final output

4- Copy the public key

After that you successfully generated an SSH key pair. Your next step is to configure the server so you can log in using the SSH key authentication.

The best method to copy your public key to the server is to use ssh-copy-id utility. On the client machine terminal run the following command:

$ ssh-copy-id username@server_ip_address

If you are not connected previously to this server using this machine. Consequently, it will ask if you want to continue as the authenticity of the server is not established. Type yes and hit Enter.

ssh-copy-id utility

Then you need to enter the password of the server. Once you are authenticated, the public key will be transferred and appended to the server’s authorized_keys file and the connection will be terminated.

There are alternative methods if ssh-copy-id utility is not available on the client machine. For instance, you can log in to the server and manually create .ssh/authorized_keys file. Then edit it using your preferred editor and paste your public key into the file. And this can be done using the following compound command:

$ cat ~/.ssh/id_rsa.pub | ssh username@server_ip_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

Log in to the server using SSH keys

After you completed all the steps above you can now log in to the remote server securely without being asked to enter a password.

To log in to the server use:

$ ssh username@server_ip_address

If you want to log in using a private key that is not located in the default location, you need to specify the location using this command:

$ ssh -i /path_to_private_key_file username@server_ip_address

Configure the server for multiple keys access

The format of .ssh/authorized_keys file allows multiple keys to be appended by putting each key in a separate line.

In case you have multiple clients, each client needs to generate its own SSH key pair, and public key of each client needs to be copied to the server using the steps described above.

Using ssh-copy-id utility will automatically append new keys even if there are already previously appended keys to .ssh/authorized_keys file. Or by manually editing the file and pasting each key in new line.

Disabling password authentication

Disabling password based authentication adds an extra layer of security by preventing brute-force attacks.

Essentially, you should make sure that you can log in to the server using SSH key authentication and the user you are logging in with has sudo privileges before disabling password authentication.

In order to disable SSH password authentication you can follow these steps:

  • Log in to your remote server using SSH key as root or as a user with sudo privileges
  • Open SSH configuration file /etc/ssh/sshd_config
  • Search for the following directives inside the file and modiy them as follows:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
  • Save the file
  • Restart the SSH service

To restart SSH service on Debian or Ubuntu servers, use the following command:

$ sudo systemctl restart ssh

On CentOS or Fedora servers, run this command:

$ sudo systemctl restart sshd

Retrieve public key from private key

It is possible for you to regenerate the public key form the private key. But you cannot do the reverse.

To do that, use the following command:

ssh-keygen -y -f /path_to_private_key_file

At the end, I like to mention that if you need a cloud hosting service to host your servers, I highly recommend Vultr. If you like to try it sign up using this link and get 100$ free credit for the first month to try Vultr. Try it out, there is nothing to lose. If you want to learn how to create your own server on Vultr, check out this article to learn how.

If you have any question, leave it in the comments below.


Other articles you may find interesting

managed vs unmanaged switches
In general, network switches are the main building block of wired computer networks. It’s the networking hardware that connects other…
Read More
how to turn ESP32 into NAT router repeater
ESP32 development board can be used as WiFi router/repeater with NAT(Network Address Translation), thanks to martin-ger, who developed this great…
Read More
turn any website into separate native application
As a Windows user, I do most of my work on my PC using a browser, not because I prefer…
Read More
how to transfer files remotely via SSH
SSH or Secure Shell is a protocol that allows a secure connection to the remote computer. There are multiple methods…
Read More
In this article you will learn how to link a domain to Vultr server. So, you can connect to it…
Read More
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely such as login, remote command-line execution, and…
Read More

Advertisment

1 thought on “How to Use SSH key Authentication”

  1. Pingback: How to transfer files remotely via SSH – ServerKernel

Leave a Reply

Your email address will not be published. Required fields are marked *