Software & Apps Linux How to Set Up SSH Key Authentication On Linux How to make your Secure Shell connections even more secure by Jack Wallen Writer Jack Wallen is a former Lifewire writer, an award-winning writer for TechRepublic and Linux.com, and the voice of The Android Expert. our editorial process LinkedIn Jack Wallen Updated on July 07, 2020 Linux Switching from Windows Tweet Share Email Secure Shell is the most popular means of logging into a remote Linux server or desktop. By using this tool, you gain access to the command line on a remote machine via a secure tunnel. Out of the box, you’ll type the remote user’s password. Although this method is still more secure than the older ones (such as telnet), you can make it even more secure with SSH Key Authentication. What is Key Authentication? Imagine you have a lock and the only way to open that lock is with a specific key that the lock knows belongs to you. How does the lock know the key belongs to you? Because the key contains a signature that is unique to you. Within the lock is a matching signature the key uses for comparison. Should the signatures match, the lock will open. Should the key fit, but the signatures not match, the lock won’t open. How SSH Key Authentication works in real life is that you create a key pair (which contains a private and public code) and copy the public key to the server you want to log into. If you try to log in with key authentication, and the server doesn’t have the public key that matches your private key, it won’t allow you access. How to Generate an SSH Key Pair The first thing to do is generate an SSH Key Pair, which creates the codes your computer will use to authenticate logins. Here's how to do it. Open a terminal window on your desktop. Issue the command: ssh-keygen Give the key a name and location. Press Enter/Return on your keyboard to use the default location, which Terminal will display. Enter and verify a passphrase for the key. Make sure this passphrase is strong and unique. You now have an SSH key pair. You'll find these two files in ~/.ssh, and their names will be: id_rsa - The private key.id_rsa.pub - The public key. Copy Your Public Key to the Remote Machine Next you must copy the public key file to the remote machine you want to log into. To do so, enter the command: ssh-copy-id USER@REMOTE_IP Where USER is a username on the remote machine and REMOTE_IP is the IP address of the remote machine. If this is the first time you’ve secure shelled into the remote machine, you'll need to confirm the connection. Otherwise, you’ll see a prompt to type the user password on the remote machine. Once you’ve successfully typed your remote password, you’re ready to test the connection. Testing The Connection Test the connection by issuing the command: ssh USER@REMOTE_IP Where USER is a username on the remote machine and REMOTE_IP is the IP address of the remote machine. You'll receive a prompt for the SSH key pair passphrase. Once you’ve typed the correct key passphrase, you’ll access to the remote machine. Disabling Password Authentication You can take security one step further by disabling password authentication. With this configuration in place, the only way to gain access to the remote machine is from a machine containing the private key from the matching pair. In other words, no key pair, no access. To disable password authentication, log in to the remote machine and issue the command: sudo nano /etc/ssh/sshd_config In this file, look for the line: #PasswordAuthentication yes Change that line to: PasswordAuthentication no Save and close the file. Restart SSH with the command: sudo systemctl restart sshd Now, if you attempt to log into that remote machine from any desktop (or server) that doesn’t include the private key, the system will deny you access.