Configure SSH Key Authentication on a Linux Server

Configure SSH Key Authentication on a Linux ServerSSH, or secure shell, is an encrypted protocol used to administer and communicate with servers. When working with a Linux server, chances are, you will spend most of your time in a terminal session connected to your server through SSH.

SSH keys provide an easy, yet extremely secure way of logging into your server. For this reason, this is the method we recommend for all users.

SSH Key Authentication

An SSH server can authenticate clients using a variety of different methods. The most basic of these is password authentication, which is easy to use, but not the most secure.

However, residing access security on a human entered password is not very wise. Script kiddies may break into your system due to a lazy user with a weak password. And it is beyond the system administrator power to make users choose good passwords.

Another advantage of this method, is that one does not need different passwords to log on different servers. One can authenticate via the personal private key on all servers, needing not to remember several passwords.

It is also possible to make logins with no password asked with this method.

Create SSH Keys without password

On the client machine, the user must generate a public / private keys pair that will identify himself on the servers. One can choose to protect it with password or not.

To do this, we can use a special utility called ssh-keygen, which is included with the standard OpenSSH suite of tools. By default, this will create a 2048 bit RSA key pair, which is fine for most uses.

root@malware.expert:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/malware.expert/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/malware.expert/.ssh/id_rsa.
Your public key has been saved in /home/malware.expert/.ssh/id_rsa.pub.
The key fingerprint is:
45:3f:af:18:24:35:42:52:68:4a:1b:a1:c3:f3:fd:12 root@malware.expert
The key's randomart image is:
+--[ RSA 2048]----+
|.o o.            |
|. + oE           |
| o +             |
|  +    o         |
|.  .  + S        |
|o..  . o         |
|oo o..  .        |
|o =.o            |
|+=.o.            |
+-----------------+

if you need password, you can use

ssh-keygen -p

Copying your Public Key Using SSH-Copy-ID

The easiest way to copy your public key to an existing server is to use a utility called ssh-copy-id. Because of its simplicity, this method is recommended if available.

The ssh-copy-id tool is included in the OpenSSH packages in many distributions, so you may have it available on your local system. For this method to work, you must already have password-based SSH access to your server.

To use the utility, you simply need to specify the remote host that you would like to connect to and the user account that you have password SSH access to.

ssh-copy-id username@remote_host

This is the account where your public SSH key will be copied.

ssh-copy-id root@malware.expert
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/malware.expert/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@malware.expert's password:

Note that at this point password access is needed. This procedure can be done by any other way you wish. For example, the server’s administrator himself can add the public key to allow a user access, instead of giving him a password.

Once the public key is installed on the server, access will be granted with no password question.

ssh-copy-id that simply adds the contents of client’s ~/.ssh/id_rsa.pub to the server’s ~/.ssh/authorized_keys:

You will see output that looks like this:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@malware.expert'"
and check to make sure that only the key(s) you wanted were added.

Copying your Public Key Using SSH

If you do not have ssh-copy-id available, but you have password-based SSH access to an account on your server, you can upload your keys using a conventional SSH method

cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Copying your Public Key Manually

If you do not have password-based SSH access to your server available, you will have to do the above process manually with remote server administrator.

The content of your id_rsa.pub file will have to be added to a file at ~/.ssh/authorized_keys on your remote machine where you want login.

cat ~/.ssh/id_rsa.pub

You will see the key’s content:

ssh-rsa 1234B3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9Ukj435n4k3n5k43n5k3n54GwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70k3j4n5k43n5kn345nk43n5n4kj34k5n95ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== root@malware.expert

Remote administrator add your public_key_string to authorized_keys file. If this added correct, you can move on to try to authenticate without a password.