Configure SSH Public Key Authentication in Linux

0
3501

This guide presents the simplest way of how to configure SSH public key authentication in Linux server. Logging in to a system via SSH public key is more secure as compared to password authentication. In our previous guide, we discussed how to disable SSH password login for specific users. Note that when you disable password authentication for user, the only way to login is by use of SSH keys.

Configure SSH Public Key Authentication in Linux

In order to explicitly allow SSH public key authentication for anyone who is logging into a Linux system, you need to disable SSH password authentication. This can be done by setting the value of the PasswordAuthentication directive to no in sshd_config file. By default, SSH is configured to allow password based login. That is why you can still login with the directive PasswordAuthentication set to yes and commented out.

vim /etc/ssh/sshd_config
...
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PasswordAuthentication no
...

If you need to disable password authentication for a specific user, use the Match directive to define the user. See our previous article for more details.

Reload SSHd.

systemctl reload ssh

Next, if you try to login without user SSH public key having been copied to the target server, you will get Permission denied (publickey).

ssh [email protected]
[email protected]: Permission denied (publickey).

NOTE that before you can configure SSH to allow public key authentication only, you need to first generate and copy the SSH keys for the user you intend to use for logging in with, lest you wont be able to copy the SSH keys nor login as that user thereafter. Hence,

Generate SSH Keys

SSH keys can be generated using the ssh-keygen command line tool.

ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mibey/.ssh/id_rsa): ENTER
Enter passphrase (empty for no passphrase): [email protected]
Enter same passphrase again: [email protected]
Your identification has been saved in /home/mibey/.ssh/id_rsa.
Your public key has been saved in /home/mibey/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:DNxhVMB08hrzDPi0CbZiMbYxgtNBEkSjMyDqvLL9T8c [email protected]
The key's randomart image is:
+---[RSA 2048]----+
|B*o    +Boo      |
|=+.. . +.=       |
|B o * * * .      |
|o+ o B B X       |
| o  + . S o      |
|  .. . .         |
|..    . E        |
|.o   . .         |
|. .....          |
+----[SHA256]-----+

If you need to generate passwordless key, leave the password prompt blank by pressing ENTER. If you need to save the key to different file, specify the file path.

Note that to generate SSH keys for a specific user, you need to be logged in as that user. The key files are usually stored in the ~/.ssh directory

Copy SSH Keys to Server

Once you have generated the keys, you can install it as an authorized key on the server using the ssh-copy-id command.

ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/mibey/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: USER PASSWORD

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

If the key is not saved on the default directory, you can specify the file using -i option.

ssh-copy-id -i ~/.mykeys [email protected]

Now, if you attempt to login to the server, you will be prompted to enter the key passphrase if at all you had signed it with a passphrase. Otherwise, it will just login without passphrase prompt.

ssh '[email protected]'
Enter passphrase for key '/home/mibey/.ssh/id_rsa': KEY PASSPHRASE

This will read the SSH key from the default directory. To specify a different key, pass option -i.

ssh -i ~/.mykeys '[email protected]'

Any other user that tries to login without SSH key, will get;

ssh [email protected]
[email protected]: Permission denied (publickey).

That is all about how to configure SSH public key authentication in Linux systems.

If you need to allow or deny specific users from logging into a linux server, check our previous article;

LEAVE A REPLY

Please enter your comment!
Please enter your name here