Open in app

Sign in

Write

Sign in

Configuring SSH Key Authentication

Morteza Moradi
6 min readMar 6, 2023

SSH key authentication is a secure method of logging into a Linux system without having to enter a password. Instead, the user authenticates with a cryptographic key pair, consisting of a public key and a private key. This method is more secure than password authentication, as it eliminates the risk of brute-force attacks or password guessing.

To use SSH key authentication, the first step is to generate a key pair on the client machine. This can be done using the ssh-keygen command, which generates the public and private keys and saves them in the ~/.ssh directory. The user must then copy the public key to the server machine, where it will be added to the authorized keys file. This can be done manually, or by using the ssh-copy-id command.

Once the key pair is set up, the user can log into the server machine without needing to enter a password. The private key is kept on the client machine, and is used to authenticate the user to the server machine. The public key is stored on the server machine, and is used to verify the authenticity of the client machine.

Step 1: Generate a new SSH key pair on Client machine

To generate a 4096-bit RSA key pair with the comment “my_key” and save it to the .ssh directory in the user’s home directory with the filename my_key we use command :

ssh-keygen -t rsa -b 4096 -C "myemail@gmail.com" -f ~/.ssh/mykey

After run command it ask you a Passphrase for more ssh-key security.

-b: This argument specifies the number of bits in the key pair. The default value is 2048 bits, but it can be set to other values such as 4096 bits for increased security.

-C: This argument allows users to specify a comment to be added to the public key. The comment can be used to identify the key's owner or purposes.

for example if you want to remove a key access in feature from remote server in feature you should find your

-t: This argument specifies the type of key to be generated. SSH supports several types of keys, including RSA, DSA, and ECDSA. The default is RSA, but users can specify a different type if needed.

-f: This argument allows users to specify the filename of the key pair. By default, the key pair is saved in the user's home directory under the .ssh directory with filenames id_rsa (private key) and id_rsa.pub (public key). However, users can specify a different filename or path if needed.

If you do not use -f and set file name, By default, the keys are saved in the ~/.ssh/ directory with the filenames id_rsa (private key) and id_rsa.pub (public key).

I strongly recommend that you create special ssh keys name to access each server or internet services , and also save all the keys in the ~/.ssh folder. So do not use default name.

Step 2: Copy the public key to the remote machine

Once you have generated a new SSH key pair, you need to copy the public key to the remote machine you want to connect to. To do this you should use ssh-copy-id command.

if you have currently remote access to your server :

ssh-copy-id -f -i {public-key-path} {username}@{remote-server-ip}

Replace public-key-path with your public key path and username with your username on the remote machine and remote-server-ip with the hostname or IP address of the remote machine for example :

ssh-copy-id -f -i ~/.ssh/mykey.pub root@5.125.22.123

You will be prompted to enter your password for the remote machine. Once you have entered the password, the public key will be copied to the remote machine and added to the authorized_keys file in the ~/.ssh/ directory.

but if you do not have remote access to your server :

Connect to your server manually and then copy public-key content to ~/.ssh/authorized_key file. for example go open ~/.ssh/authorized_kyes file and add each public-key to one line like below:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPcw11LDFswFyvQJdNtmBK2vxUK5TDxdfq7APIyGdQDb6i4a/IvpN+SC4mspSJucH3Cgu+R/9xtRyt66Gkv>
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD1nE51JZnIwceN4RjVXNCK4tlNnuEl2TTlRNafQ8wKJL7oEkV1/Sg2zIb++0MPo5rIfseoSxtgAg2lmOX3y>

Step 3: Test SSH key authentication

To test SSH key authentication, you can try connecting to the remote machine using the ssh command:

ssh user@remotehost -i private-key-path
# example : ssh root@12.135.16.33 -i ~/.ssh/mykey

If everything is set up correctly, you should be logged in to the remote machine without having to enter a password.

Step 4: SSH configuration file to simplify connections to remote machines.

By using an SSH configuration file to specify the hostname or IP address of the remote machine, you can avoid having to enter this information each time you connect. Instead, you simply need to specify the name of the host entry in the configuration file when you connect.

Open a terminal and navigate to your ~/.ssh/ directory. If you don't have a config file already, create one using your favorite text editor:

nano ~/.ssh/config

In the config file, you can create host entries for each remote machine you want to connect to. A host entry specifies the hostname or IP address of the remote machine, your username on the remote machine, and any other options you want to use for the connection.

Host myserver
    HostName 123.45.67.89
    User myusername
    IdentityFile ~/.ssh/mykey
    Port 22

In this example, myserver is the name you want to use for the remote machine (you can choose any name you like), 123.45.67.89 is the IP address or hostname of the remote machine, myusername is your username on the remote machine, and ~/.ssh/mykey is the path to your private key file.

To connect to a remote machine using an SSH configuration file, simply use the ssh command followed by the name of the host entry you created in the config file. For example:

ssh myserver

This will connect to the remote machine using the options specified in the myserver host entry.

Step 5 : disable password authentication on a server and allow only public key authentication

Connect to your server as the root user. Open the SSH configuration file using a text editor such as nano or vi:

nano /etc/ssh/sshd_config
  1. Find the line that starts with #PasswordAuthentication and remove the # at the beginning of the line to uncomment it and Change the value of PasswordAuthentication to no , if not exit create it.
PasswordAuthentication no

2. Find the line that starts with #PubkeyAuthentication and remove the # at the beginning of the line to uncomment it and Ensure that the value of PubkeyAuthentication is set to yes , if not exit create it.

PubkeyAuthentication yes

3. Find the line that starts with #AuthenticationMethods and remove the # at the beginning of the line to uncomment it and Ensure that the value of AuthenticationMethods is set to publickey , if not exit create it.

AuthenticationMethods publickey

Save and close the configuration file and Restart the SSH service to apply the changes

systemctl restart sshd

After completing these steps, the server will only allow authentication using public keys. If you try to connect to the server using a password, you will receive an error message stating that password authentication is disabled.

Before disabling password authentication, make sure that you have set up public key authentication correctly and that you have a working backup plan in case you lose access to your private key.

More Useful Data

what is ssh and sshd?

SSH stands for Secure Shell, which is a cryptographic network protocol used for secure communication over an unsecured network. SSH provides a secure encrypted connection between two computers, allowing remote login, command execution, and file transfers. It is commonly used by system administrators, developers, and anyone who needs to access a remote computer securely.

SSHD is the SSH daemon or server that runs on the remote computer and listens for incoming SSH connections. When a user attempts to connect to the remote computer via SSH, the sshd daemon will authenticate the user’s credentials, and if successful, establish a secure encrypted connection. The sshd daemon is responsible for managing SSH sessions, enforcing access control, and providing secure remote access to the computer.

How to check which authentication methods is enable on a server?

You can use the -v option with SSH to get verbose output, which includes information about the authentication methods that are being used. Here's an example:

ssh -v user@hostname

When you run this command, SSH will attempt to connect to the remote host and will display information about the connection process. In the output, you can look for lines that indicate the authentication methods that are being used. For example, you might see lines like:

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/user/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password

In this example, SSH is first attempting public key authentication, and then falling back to password authentication if public key authentication fails. This indicates that both authentication methods are enabled on the server, but if password authenticaiton disabled it return error if you do not have ssh key.

Linux
Ssh Keys
Servers
Ssh
Sshd

--

--

Morteza Moradi

Written by Morteza Moradi

10 Followers

web/android developer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams