How to Set Up SSH Key Authentication On Linux

How to make your Secure Shell connections even more secure

Pixabay

Secure Shell is the most widely-used means of logging into a remote Linux server (or desktop). By using this tool, you gain access to the command line on a remote machine, via a secure tunnel. Out of the box, you’ll be prompted to type the remote user’s password. Although this is still more secure than using the older methods (such as telnet), it can be made even more secure with SSH Key Authentication.

What is Key Authentication?

Understanding Key Authentication is actually quite simple. Imagine you have a lock and the only way to open that lock is with a specific key that the lock knows belongs to you. How does the lock know the key belongs to you? Because the key contains a signature that is unique to you. Within the lock there is a matching signature the key uses for comparison. Should the signatures match, they lock will open. Should the key fit, but the signatures not match, the lock won’t open.

That’s the basis for SSH Key Authentication. How it works in real life is that you create a key pair (which contains a private and public key), and copy the public key to the server you want to log into. If you attempt to login with key authentication, and the server doesn’t have the public key that matches your private key, it won’t allow you access.

Let’s make this work.

Generating an SSH Key Pair

The first thing to do is generate an SSH Key Pair. To do this, follow these steps:

  1. Open a terminal window on your desktop.

    Screenshot of the ssh-keygen command.

    Issue the command:

    ssh-keygen
    Screenshot of naming an ssh key and creating a passphrase.

    Give the key a name and location (go with the default by using Enter/Return on your keyboard).

  2. Enter and verify a passphrase for the key (make sure this passphrase is strong and unique)

You now have an SSH key pair. These two files will be found in ~/.ssh and will be named:

  • id_rsa - The private key.
  • id_rsa.pub - The public key.

Copy Your Public Key to the Remote Machine

Screenshot of copying an SSH key to a remote machine.

Next you must copy the public key file to the remote machine you want to log into. This can be done with the command:

ssh-copy-id USER@REMOTE_IP

Where USER is a username on the remote machine and REMOTE_IP is the IP address of the remote machine.

If this is the first time you’ve secure shelled into the remote machine, you will be prompted to type yes to continue with the connection, otherwise you’ll be prompted to type the user password on the remote machine. Once you’ve successfully typed your remote password, the key will be copied and you’re ready to test the connection.

Testing The Connection

Screenshot of logging into a remote machine using SSH Key Authentication.

Test the connection by issuing the command:

ssh USER@REMOTE_IP

Where USER is a username on the remote machine and REMOTE_IP is the IP address of the remote machine. Instead of being prompted for the user password, you’ll be prompted for the SSH key pair passphrase. Once you’ve typed the correct key passphrase, you’ll be allowed access to the remote machine. Congratulations, SSH Key Authentication is up and running.

Disabling Password Authentication

You can take this one step further by disabling password authentication. With this configuration in place, the only way to gain access to the remote machine is from a machine containing the private key from the matching pair. In other words, no key pair, no access.

To disable password authentication, log into the remote machine and issue the command:

sudo nano /etc/ssh/sshd_config

In this file, look for the line:

#PasswordAuthentication yes

Change that line to:

PasswordAuthentication no

Save and close the file. Restart SSH with the command:

sudo systemctl restart sshd
Screenshot of a denied attempt to access a remote machine.

Now, if you attempt to log into that remote machine from any desktop (or server) that doesn’t include the private key, access will be denied.

Congratulations, you have successfully made logging into your remote Linux machine more secure with SSH.