How to Set Up SSH Key Authentication On Linux

How to make your Secure Shell connections even more secure

Secure Shell is the most popular means of logging into a remote Linux server or desktop. By using this tool, you gain access to the command line on a remote machine via a secure tunnel. Out of the box, you’ll type the remote user’s password. Although this method is still more secure than the older ones (such as telnet), you can make it even more secure with SSH Key Authentication.

What is Key Authentication?

Imagine you have a lock and the only way to open that lock is with a specific key that the lock knows belongs to you. How does the lock know the key belongs to you? Because the key contains a signature that is unique to you. Within the lock is a matching signature the key uses for comparison. Should the signatures match, the lock will open. Should the key fit, but the signatures not match, the lock won’t open.

How SSH Key Authentication works in real life is that you create a key pair (which contains a private and public code) and copy the public key to the server you want to log into. If you try to log in with key authentication, and the server doesn’t have the public key that matches your private key, it won’t allow you access.

How to Generate an SSH Key Pair

The first thing to do is generate an SSH Key Pair, which creates the codes your computer will use to authenticate logins. Here's how to do it.

  1. Open a terminal window on your desktop.

  2. Issue the command:

    The ssh-keygen command in Terminal
  3. Give the key a name and location.

    Press Enter/Return on your keyboard to use the default location, which Terminal will display.

    The location for an SSH key
  4. Enter and verify a passphrase for the key.

    Make sure this passphrase is strong and unique.

    Enter a passphrase for the key
  5. You now have an SSH key pair. You'll find these two files in ~/.ssh, and their names will be:

  • id_rsa - The private key.
  • - The public key.

Copy Your Public Key to the Remote Machine

Next you must copy the public key file to the remote machine you want to log into. To do so, enter the command:

ssh-copy-id USER@REMOTE_IP

Where USER is a username on the remote machine and REMOTE_IP is the IP address of the remote machine.

An example of the ssh-copy-id command

If this is the first time you’ve secure shelled into the remote machine, you'll need to confirm the connection. Otherwise, you’ll see a prompt to type the user password on the remote machine. Once you’ve successfully typed your remote password, you’re ready to test the connection.

Testing The Connection

Test the connection by issuing the command:


Where USER is a username on the remote machine and REMOTE_IP is the IP address of the remote machine.

An example of the ssh command in Terminal

You'll receive a prompt for the SSH key pair passphrase. Once you’ve typed the correct key passphrase, you’ll access to the remote machine.

Disabling Password Authentication

You can take security one step further by disabling password authentication. With this configuration in place, the only way to gain access to the remote machine is from a machine containing the private key from the matching pair. In other words, no key pair, no access.

To disable password authentication, log in to the remote machine and issue the command:

sudo nano /etc/ssh/sshd_config

In this file, look for the line:

#PasswordAuthentication yes

Change that line to:

PasswordAuthentication no

Save and close the file. Restart SSH with the command:

sudo systemctl restart sshd
Command prompt.

Now, if you attempt to log into that remote machine from any desktop (or server) that doesn’t include the private key, the system will deny you access.