SSH or secure shell is a secure protocol that allows users to connect to remote SSH servers. Today, if you’re hosting a website or running a Linux server, chances are you’re using SSH protocol to remotely connect to the server to manage it.
This brief tutorial is going to show students and new users how to setup a SSH server to allow key authentication only. there will be no password to enter when connecting to the server.
This is a more secure way to prevent your SSH server from being hacked or allow authorized access.
To get started with SSH key authentication, follow the steps below:
Step 1: Generate a SSH Key Pair
If you’re using another Linux computer to connect to the server, then generaing SSH key pair and exporting it to the server should be a bit easier than a non Linux host.
To generate a SSH key pair, run the commands below from the Linux client machine.
That should generate a key pair ( private and public keys). By default ssh-keygen will create a 2048-bit RSA key pair. this is quite secure.
Generating public/private rsa key pair. Enter file in which to save the key (/home/richard/.ssh/id_rsa):
By default the key pair will be stored in your home directory in ~./ssh folder.
You will be prompted to enter a passphrase to add additional layer of security. this is optional so you can leave blank and press the Enter key.
Created directory '/home/richard/.ssh'. Enter passphrase (empty for no passphrase):
The final result should look like the code below. you key should be saved and ready to use.
Your public key has been saved in /home/richard/.ssh/id_rsa.pub. The key fingerprint is: SHA256:ssN2UjCEIR9MFQ3Snvy+tM83wUDrh0/dPCZzb77lUjA richard@ubuntu1804 The key's randomart image is: +---[RSA 2048]----+ | .o===+ | | oo+. . . | | .oo. . . | | +o o E | | .S. + . = | | . +. o =o.++| | *.o + .=.+| | . =.o + .+| | ooo. . =+| +----[SHA256]-----+
Step 2: Export the Public Key to the SSH Server
Now that the your key pair has been created, you can now export your public key to the server. When using a Linux client, the quickest way is to use the ssh-copy-id command.
This command will copy the contents of your ~/.ssh/id_rsa.pub key into a file in the remote account’s home ~/.ssh directory called authorized_keys.
The SSH host looks into the authorized_keys file to match keys clients are presenting to server for authentication. if a client is connecting with a private key but no public key in the authorized_keys file, the connection will be denined.
Only client client matching private and public keys on the remote host will be allow access.
Run the commands below to export your public key to the remote host.
When you run the commands above, the out should look like the one below.
ssh-copy-id firstname.lastname@example.org The authenticity of host '10.0.2.6 (10.0.2.6)' can't be established. ECDSA key fingerprint is SHA256:GPeNZbX26TFHJ/zaqVNppD7m9pLvZ3jINahxXy226q4. Are you sure you want to continue connecting (yes/no)? yes
Type yes to export the key.
After you type your SSH password for the remote host, the key should be successfully installed.
Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'email@example.com'" and check to make sure that only the key(s) you wanted were added.
Now your public key is stored on the remote server.
Now when you logon to the remote server, access should be granted without you typing a password.
ssh firstname.lastname@example.org Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Sat Apr 28 02:50:34 UTC 2018
If you’re using a non Linux host or can’t use ssh-copy-id command, you can manually copy your public key and paste into the authorized_keys file on th remote host.
Run the commands below to display your public key.
The output should look like the linke below.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDV2FxeXfKhsabnom7Esmh+r2Jf3WF+cqjv1BNXp5zdZhtiEHNT+4qJSxDyJ61DsbJOUX0MANG3geVgUVCkk/gR4hOHGBlJbuUlZRmCZVr5jNSvpBkXrB1M8WB73vwJy3cK0dMtcAQmNdKo23KYAR8/zKlv9lg4mc41qSwnhIXtrL5iyp9s+29bz84oxlsUc3+C0Y4aUWpVYNq4iH62CT0GZDC0vC8up5U/kSEkRbXjZerfnbQBYnsLb7g2SQRRUogauonCMlz1zrWMTP9EK8HdQdp7EaHcagFu3z3PQPMPaIRwJcahmAZIoNN0c2JEdg36j4RPik7CSDQVCA37IdDp richard@ubuntu1804
Copy the entiree key content and paste into ~/.ssh/authorized_keys file you create on the remote host.
Step 3: Disable SSH Password Authentication
Now that you know SSH key authentication works, you can now disable password authentication to enable enhanced SSH security. Connecto the the SSH remote host and open the configuration file by running the commands below
sudo nano /etc/ssh/sshd_config
Then change the line below to no
. # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no .
Save the file and exit.
Restart SSH Server
sudo systemctl restart ssh.service
Now only SSH clients with keys in the authorized_keys file will be allow to access the server.
You may also like the post below: