Setup SSH Server for Key Authentication on Ubuntu 17.04 / 17.10

This brief tutorial shows students and new users how to setup OpenSSH server for key authentication or password-less authentication. This setup allows users of the Ubuntu server to logon via SSH without typing passwords.

This is a much more secure alternative to SSH password authentication. With password authentication, each time a user wants to logon, he/she must always type a password. Another weakness is password can be guessed any anyone.

With key authentication, no password is ever typed. Only client computers with the correct matching key pair to the server are allowed.

To configure SSH with key authentication, follow the steps below:

Step 1: Generate a SSH Key for Each User

To logon via SSH key authentication, you must first generate a key pair. Two keys are created: one public and the other private. The private key must stay on the server and the public key shared with clients securely.

Login via SSH as the user you want to configure, then run the commands below to generate a SSH key pair.

ssh-keygen -t rsa

When prompted, press Enter to accept the default location to store the keys.. by default, it’s saved in the user’s home directory in the hidden .ssh folder.

richard@ubuntu1704:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/richard/.ssh/id_rsa): Enter
Created directory '/home/richard/.ssh'.
Enter passphrase (empty for no passphrase): Enter
Enter same passphrase again: Enter
Your identification has been saved in /home/richard/.ssh/id_rsa.
Your public key has been saved in /home/richard/.ssh/id_rsa.pub.

Step 2: Share the Public Key with the Client PC

After creating the key pair above, a public key called id_rsa.pub will be stored in the ~/.ssh/. A folder also called authorized_keys will also be created in that directory. The SSH server looks in the ~/.ssh/authorized_keys for all authorized keys that can logon to the server.

So, run the commands below to move the public key created above into the ~/.ssh/authorized_keys file.

mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

After running the above commands, logon to the client computer.. hopefully another Linux machine and run the commands below to copy the public key to the client machine.

mkdir ~/.ssh
scp richard@server_name:/home/richard/.ssh/id_rsa ~/.ssh/

The key should be copied to the client machine.

Step 3: Logon to SSH without Password

After getting the key to the client computer, logon to the server and open SSH default configuration file by running the commands below

sudo nano /etc/ssh/sshd_config

Then make the highlighted changes below and save the file.

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
#PermitEmptyPasswords no

Save the file and restart SSH

sudo systemctl restart ssh

Protect your keys.

On the server, run the commands below to protect the SSH keys.

chmod 600 ~/.ssh/authorized_keys

Now only clients with the matching key pair will be allowed onto the server. To connect, run the commands below replacing server_name with the original servers.

ssh richard@server_name

Will logon without typing a password.

If you can get the key to a Windows machine, you could use PuTTY to sign on automatically as well.

Enjoy~

You may also like the post below:

Block Access to WordPress WP-Admin via Nginx on Ubuntu 17.04 / 17.10