How to Use SSH Key Authentication

If you are a Linux administrator, then you are very familiar with the ssh command. Why? Because it is the most popular means of gaining access to a remote Linux server. Out of the box, Secure Shell (SSH) is often considered quite secure. If you’re serious about your security, however, you know that to be a slight exaggeration. Yes, SSH is far better than using most other means of remotely logging into a Linux server. If used wisely, it can be made even more secure. How? With SSH Key Authentication.

Normally, when you log into a remote server with SSH, you do so using a username/password combination. Issue the command:

ssh olivia@192.168.1.221

You’ll be prompted for the user password for olivia. That’s the most often used method for SSH logins. However, using a password is limited to the length of password you can remember, or are willing to type out. Sure, you could have user olivia set a password that’s incredibly long and complicated, but is that user going to want to type that password every time they need to login? Probably not. With SSH Key Authentication, an encrypted passphrase is used that is far longer than is practical with a standard password. So the cryptographic strength found in SSH Key Authentication goes way beyond that which a standard password can match.

But to use SSH Key Authentication, you have to set it up. Fortunately, it’s incredibly easy to do.

The first thing you must do is generate an SSH Key. This is quite easy. Open a terminal window on the client machine you plan on using to log into your server and issue the command:

ssh-keygen

You will be asked to enter a filename for your newly generated key. To accept the default (/home/USER/.ssh/id_rsa - where USER is your username), simply hit the Enter key. You will then be prompted to type and verify a passphrase. Make this passphrase a strong one.

When the command completes, your key is ready to use.

Now that you have your key at the ready, it needs to be copied to the server you plan on logging into, via ssh. Fortunately, there’s a very easy way to do that. Go back to the terminal window you used to create the SSH Key and issue the command:

ssh-copy-id USER@SERVER_IP

Where USER is the username and SERVER_IP is IP address of the server you want to log into. You’ll be prompted for the USER password. Once you successfully authenticate, the SSH Key will be copied and you can then log into the server in the normal fashion. Issue the command (from the client you used to create the SSH Key):

ssh USER@SERVER_IP

Because the client you are logging in from has the matching key that is now on the server, you’ll be logged in.
Repeat this process on every client machine that needs to SSH into the server.

At this point, users can log into your server by way of standard SSH passwords or SSH Key Authentication. To make this setup even more secure, you can prevent the use of password authentication, by modifying the SSH daemon configuration. To do that, issue the command:

sudo nano /etc/ssh/sshd_config

In that file, look for the line:

#PasswordAuthentication yes

Uncomment it out (remove the # symbol) and change yes to no.

Next, look for the line:

#PubkeyAuthentication yes

Uncomment out that line.

Save and close the file (hit Ctrl+x) and answer yes. Restart the SSH daemon with the command:

sudo systemctl restart sshd

Now if you attempt to SSH into that server from any client that does not contain a matching SSH Key, you will be denied access.

For those who are curious, log onto the server to which you copied your keys. Issue the command:

less ~/.ssh/authorized_keys

The output of the above command will display all of the keys you’ve sent from clients (using the ssh-copy-id command). If you find you want to revoke SSH Key Authentication from a particular client, you can delete the lines that correspond with the client’s hostname (the hostname is the last bit of information in the key).