Skip to content

SSH key authentication

November 1, 2011
By Administrator in All, Linux administration, SSH server

Setting up your SSH server to perform SSH key authentication instead of password based authentication has two main advantages:

  • addtional security, because no authentication information is being transmitted over the network thanks to the popular public key cryptographic system methods (well, that’s not entirely correct, but at least no passwords are being transmitted over the network :))
  • ease of access – you do not need to type your password every time you establish an SSH connection

It is usually very easy to configure SSH key authentication. We will illustrate the process in several steps. For the purpose of this explanation, we have used OpenSSH_5.8p1 as an SSH server software and Ubuntu for both client and server operating system. Let’s start:

1. Generate the encryption key pair on the client machine

This can be done with the following command:

[email protected]:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/clientuser/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/clientuser/.ssh/id_rsa.
Your public key has been saved in /home/clientuser/.ssh/id_rsa.pub.
The key fingerprint is:
0f:b0:01:41:ee:35:06:20:25:56:cd:1b:dd:52:b9:e8 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|..=-*=o    .     |
| o o +o   o      |
|    . ++++ .     |
|   . .o++ o      |
|    . ..S.       |
|        Eo       |
|          .      |
|                 |
|                 |
+-----------------+
[email protected]:~$

You will be asked for the location of the file that will store the newly generated private key. In most cases it would be most suitable to leave the defaults here. Then, you will be asked for the passphrase that will protect your key. Generally, it is a good idea to set some passphrase here instead of leaving the field empty, just in case somebody gets access to your PC or private key.

2. Obtain your public authentication key

The public key is in the /home/clientuser/.ssh/id_rsa.pub file and it should be looking similarly to the following:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTKyG77WLwTMsvRmoTOwSDtTi+zBRHG
WYBzicY8oZoEDRY1+TPtQrAUkZkvkafcSnoVYX5CsuKaNqqyC2/g93vC2cTnzf4Y6U2Qt
KqbEPzSim8LvapfZe0PO4WKJB2Em5BvqYA/E8XsF+zhbkjmAIWAFbYi9YIZELMYMnVk4k
M4Ys8o79JTpy8iX1f1eXcC+YQ/ELnfwov6It637D7hoFypzUmohvahlvlmxT1X54080ek
TFx6o18N3jlvxIRrBaEkTDikgAVfAjyc+P66M5hVvMak9H247GX4k8jI1Su/JcRJ/NIvL
s/JsnmobQli1Yx5aj801fOEAGScZYM91yRV [email protected]

3. Upload the public authentication key to your SSH server

You need to paste the public key from the previous step into the /home/serveruser/.ssh/authorized_keys file on the SSH server. Here, serveruser is the account on the SSH server machine that you would like to log into. The .ssh folder and the authorized_keys file might not be existing, and you might need to create them yourself:

[email protected]:~$ mkdir /home/serveruser/.ssh
[email protected]:~$ touch /home/serveruser/.ssh/authorized_keys
[email protected]:~$ chmod 700 /home/serveruser/.ssh
[email protected]:~$ chmod 600 /home/serveruser/.ssh/authorized_keys

Then, use your favourite text editor and paste the public ssh key into the authorized_keys file. Make sure that the key is completely unchanged.

4. Adjust the SSH daemon configuration file

We want to make sure that SSH key authentication will be the only means of authentication. On the SSH server machine, open and edit the file /etc/ssh/sshd_config. Make sure the following entry is present and uncommented:

AuthorizedKeysFile %h/.ssh/authorized_keys

Also, uncomment and change the “yes” to “no” in the line below, so that you have:

PasswordAuthentication no

These should be the only changes necessary to the default configuration file of the OpenSSH service shipped with the conteporary versions of Ubuntu and Debian.

The final step is to restart the SSH daemon:

[email protected]:~$ /etc/init.d/ssh restart

5. Test the functionality of the SSH key authentication set up

To check whether our simple SSH key authentication set up is working, you can enter the following command on your client machine:

[email protected]:~$ ssh -l serveruser server-hostname-or-IP-address

If you have used a non-empty passphrase when generating your authentication key pair, you should be prompted for that passphrase now and upon typing it, be logged into the server as serveruser.

To avoid needing to type your passphrase each time you want to establish an SSH connection, you may use the ssh-add utility. This way, you will need to input the passphrase only once and then use the key freely for the remainder of your OS session.

[email protected]:~$ ssh-add /home/clientuser/.ssh/id_rsa
Enter passphrase for /home/clientuser/.ssh/id_rsa:
Identity added: /home/clientuser/.ssh/id_rsa (/home/clientuser/.ssh/id_rsa)

SSH key authentication is relatively easy to configure but it significantly increases the security of your connection and also makes it easier to work, especially if you need to connect to multiple SSH destinations.

Tags: , , , , ,

Comment Feed

6 Responses

  1. If the machine your connecting to is only running SSHv2 you will need to copy the file ~/.ssh/authorized_keys to ~/.ssh/authorized_keys2

    :)

  2. AdministratorDecember 10, 2011 @ 4:27 amReply

    I’m afraid that I cannot agree with you. The authorized_keys2 file has been deprecated since OpenSSH 3.0 and the use of authorized_keys in all cases is encouraged. Actually, the server I used while writing this article is running only the SSH protocol 2. There might be some OpenSSH implementations left, that require authorized_keys2 but generally this file should not be necessary any more :)

  3. One detail missing from step 3 above is to secure the permissions of your ssh files. You should run the commands:
    [email protected]:~$ chmod 700 /home/clientuser/.ssh
    [email protected]:~$ chmod 600 /home/clientuser/.ssh/authorized_keys

  4. Another tip I’ve received is that you can make it easier to connect from your local machine if you edit /home/clientuser/.ssh/config
    and add the lines:

    Host your_server (any name you want for the server)
    HostName 99.99.99.99 (or whatever the server IP is)
    IdentityFile /home/clientuser/.ssh/id_rsa
    PasswordAuthentication no
    Port 22 (or an alternative port if needed)
    User serveruser

    then you can just type “ssh your_server”

    • AdministratorFebruary 6, 2012 @ 1:43 amReply

      Thanks for the useful tips. Using SSH client configuration options can really be a time saver. I, personally, have been using bash aliases to create these kinds of shortcuts. For example, adding the following to /home/clientuser/.bashrc:

      alias gohome='ssh -l serveruser 192.168.32.1 -p 2202'

      And then I just type gohome :)

      The approach you offered, however, is indeed more flexible and seems like the proper thing to do.

      Thank you once again for contributing to our website :)



Some HTML is OK

or, reply to this post via trackback.