Configure SSH Public Key Authentication in Linux

koromicha
|
Published:
|
HowTos, SSH
|
Leave a Comment

This guide presents the simplest way of how to configure SSH public key authentication in Linux server. Logging in to a system via SSH public key is more secure as compared to password authentication. In our previous guide, we discussed how to disable SSH password login for specific users. Note that when you disable password authentication for user, the only way to login is by use of SSH keys.

Configure SSH Public Key Authentication in Linux

In order to explicitly allow SSH public key authentication for anyone who is logging into a Linux system, you need to disable SSH password authentication. This can be done by setting the value of the PasswordAuthentication directive to no in sshd_config file. By default, SSH is configured to allow password based login. That is why you can still login with the directive PasswordAuthentication set to yes and commented out.

vim /etc/ssh/sshd_config
...
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PasswordAuthentication no
...

If you need to disable password authentication for a specific user, use the Match directive to define the user. See our previous article for more details.

Reload SSHd.

systemctl reload ssh

Next, if you try to login without user SSH public key having been copied to the target server, you will get Permission denied (publickey).

ssh [email protected]
[email protected]: Permission denied (publickey).

NOTE that before you can configure SSH to allow public key authentication only, you need to first generate and copy the SSH keys for the user you intend to use for logging in with, lest you wont be able to copy the SSH keys nor login as that user thereafter. Hence,

Generate SSH Keys

SSH keys can be generated using the ssh-keygen command line tool.

ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mibey/.ssh/id_rsa): ENTER
Enter passphrase (empty for no passphrase): P@SSword
Enter same passphrase again: P@SSword
Your identification has been saved in /home/mibey/.ssh/id_rsa.
Your public key has been saved in /home/mibey/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:DNxhVMB08hrzDPi0CbZiMbYxgtNBEkSjMyDqvLL9T8c amos@u18svr
The key's randomart image is:
+---[RSA 2048]----+
|B*o    +Boo      |
|=+.. . +.=       |
|B o * * * .      |
|o+ o B B X       |
| o  + . S o      |
|  .. . .         |
|..    . E        |
|.o   . .         |
|. .....          |
+----[SHA256]-----+

If you need to generate passwordless key, leave the password prompt blank by pressing ENTER. If you need to save the key to different file, specify the file path.

Note that to generate SSH keys for a specific user, you need to be logged in as that user. The key files are usually stored in the ~/.ssh directory

Copy SSH Keys to Server

Once you have generated the keys, you can install it as an authorized key on the server using the ssh-copy-id command.

ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/mibey/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: USER PASSWORD

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

If the key is not saved on the default directory, you can specify the file using -i option.

ssh-copy-id -i ~/.mykeys [email protected]

Now, if you attempt to login to the server, you will be prompted to enter the key passphrase if at all you had signed it with a passphrase. Otherwise, it will just login without passphrase prompt.

ssh '[email protected]'
Enter passphrase for key '/home/mibey/.ssh/id_rsa': KEY PASSPHRASE

This will read the SSH key from the default directory. To specify a different key, pass option -i.

ssh -i ~/.mykeys '[email protected]'

Any other user that tries to login without SSH key, will get;

ssh [email protected]
[email protected]: Permission denied (publickey).

That is all about how to configure SSH public key authentication in Linux systems.

If you need to allow or deny specific users from logging into a linux server, check our previous article;

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Related Posts

Easily Install MariaDB 10.5 on FreeBSD 12.1

How to Set System Wide Proxy in Ubuntu 18.04

Install and Setup OpenLDAP server on Ubuntu 22.04

6 Facts You Should Know About Global Cloud Communications

Install DokuWiki on CentOS 8

Easy way to Install VirtualBox on Oracle Linux

Leave a Comment

© 2024 kifarunix.com

Home Advertise with us Privacy Policy