How to Use SSH Key Authentication

Secure your server by requiring SSH keys for remote logins

by
Jack Wallen
Jack Wallen
Writer
Jack Wallen is a former Lifewire writer, an award-winning writer for TechRepublic and Linux.com, and the voice of The Android Expert.
our editorial process
Jack Wallen
Updated on March 17, 2020

Normally, when you log into a remote server with SSH, you do so using a username and password combination. However, using a password is limited to the length of password you can remember or are willing to type. With SSH key authentication, an encrypted passphrase offers more secure credentials than are practical with a standard password. The cryptographic strength in SSH key authentication goes beyond what a standard password can match.

Generate Your SSH Key

Open a terminal window on the client machine you plan to use to log in to your server, then issue the command: 






Next, you're prompted to enter a filename for your new key. It's recommended that you accept the default (~/.ssh/id_rsa). Then, select and verify a passphrase. Make this passphrase a strong one.






When the command completes, your key is ready to use.










Screenshot of generating an SSH Key on Linux.

 



 
  Copy Your Key to the Server  



Use SSH to copy your key to the remote server. Issue the command:





ssh-copy-id U






Where USER is the username, and SERVER_IP is the IP address of the server you want to log in to. You're prompted for the USER password. After you successfully authenticate, the SSH key copies and you can log in to the server in the normal way.






Because the client you are logging in from has the matching key that is now on the server, you'll be logged in.






Repeat this process on every client machine that needs to SSH into the server.




 
  Lock It Down  



It's considered a best security practice to disable password authentication into servers, relying solely on SSH key authentication. Modify the SSH daemon configuration accordingly. Open the configuration file by executing:





sudo nano /et






In that file, look for the line:





#PasswordA






Un-comment the line by removing the hashtag, then change yes to no.






Next, look for the line:





#PubkeyA






Un-comment that line as well.










Screenshot of the sshd_config file found on Linux.

 





Save and close the file. Restart the SSH daemon with the command:





sudo syste






Now, if you attempt to SSH into that server from any client that does not contain a matching SSH Key, you will be denied access.




 
  Where Is the SSH Key Stored?  



Log onto the server to which you copied your keys. Issue the command:





less ~/.ss






You'll see all of the keys you sent from clients (using the ssh-copy-id command). To revoke SSH key authentication from a particular client, delete the lines that correspond with the client's hostname (the hostname is the last bit of information in the key).










Screenshot of the authorized_keys file found on Linux.