In order make more secure connection to a server or any other device, we do not want to use password authentication. That is the main motivation behind SSH public key authentication. SSH keys provide a fully encrypted way to access your device.
A SSH key pair includes two types of keys:
A public key is copied to the SSH server(s). Anyone with a copy of the public key can encrypt data which can then only be read by the person who holds the corresponding private key. Once an SSH server receives a public key from a user, it copies the file to the its authorized_keys file.
A private key that remains (only) with the user. The possession of this key is proof of the user’s identity. Only a user in possession of a private key that corresponds to the public key at the server will be able to authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed.
Step 1 – Create a RSA Public and Private Key Pair
Let’s assume for now that we have two devices, test-client and test-server. The keys are generated on the client side and then copied to the server.
test@test-client~$ cd .ssh test@test-client:~/.ssh$ ssh-keygen
The default mode of ssh-keygen command is RSA.
If would you would like to change the key type to DSA, EDSA or another you can use the -t flag.
-t dsa | ecdsa | ed25519 | rsa | rsa1 Specifies the type of key to create. The possible values are “rsa1” for protocol version 1 and “dsa”, “ecdsa”, “ed25519”, or “rsa” for protocol version 2.
The following is an example:
test@test-client~$ cd .ssh test@test-client:~/.ssh$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/test/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/test/.ssh/id_rsa. Your public key has been saved in /home/test/.ssh/id_rsa.pub. The key fingerprint is: SHA256:0tepVVkXA0IAitcp34SPBO1IJqWMPdqo5ogAPnrY6HQ test@test-client The key's randomart image is: +---[RSA 2048]----+ | .o....oo ..o+| | +.oo+.o . oo| | . *++o= . o | | + o.+o= . o | |.o . .oSo. + | |+ . . o | |oO E . | |@ = | |=+ | +----[SHA256]-----+
Now let’s verify that keys are generated.
test@test-client:~/.ssh$ ls id_rsa id_rsa.pub known_hosts
Step 2: Copy the Public Key to the Server
Use the ssh-copy-id command to copy the key to the server side using a password. This is only and last time you should require a password to login to the server. However if the file known_hosts is somehow removed from the server, you won’t be able to SSH to the server until you go through this process again. For safety, create a backup copy of the server known_hosts file.
test@test-client:~/.ssh$ ssh-copy-id 192.168.1.100 /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys email@example.com's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '192.168.1.100'" and check to make sure that only the key(s) you wanted were added.
Step 3: Use SSH to Connect the Server
Finally ssh to the server to ensure that the process of adding the public key to the server is completed and everything is working as expected.
test@test-client:~/.ssh$ ssh firstname.lastname@example.org Welcome to Ubuntu 16.04.2 LTS * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage test@test-server:~$
Once you have verified that you are able to SSH to the server without a password, you are done The client can SSH to server securely.
It is recommended that SSH password authentication is completely disabled so that no other system can access the server.
Ensure that PermitRootLogin is properly set to prohibit-password.
Edit the file /etc/ssh/sshd_config
sudo vi /etc/ssh/sshd_config
Verity that the following is set to:
6,040 total views, 1 views today