Tutorials

Configure SSH Key Authentication

Table of Contents

Introduction

SSH can handle authentication using a traditional username and password combination or by using a public and private key pair. The SSH key pair establishes trust between the client and server, thereby removing the need for a password during authentication. While not required, the SSH private key can be encrypted with a passphrase for added security.

Requirements

  • Local terminal shell with OpenSSH
  • Remote server accessible over OpenSSH

Create Private and Public Keys

It should first be confirmed that an existing public and private key do not already exist.

ls -l ~/.ssh/

If either of the below filename pairs are present, then an RSA or DSA key pair already exist and you can move onto the next step of copying the public key to the remote server.

  • id_dsa / id_dsa.pub
  • id_rsa / id_rsa.pub

Note: This tutorial will describe creating an RSA key pair. If a DSA key pair is already present, then an RSA key pair can safely be created along side the existing DSA key pair.

The RSA key pair can now be created. The bit length will default to 2048 bits which is considered sufficient. A larger key length can be defined with the -b size parameter if desired.

ssh-keygen -t rsa

You will be prompted for a passphrase which is optional. A passphrase will protect the private key could should it ever become compromised. If no passphrase is needed, simply leave the field blank. There should now be two files in the ~/.ssh/ directory.

  • id_rsa - Private RSA key
  • id_rsa.pub - Public RSA key

Copy the Public Key to the Server

The public key is now ready to be copied to the remote server. The ssh-copy-id command can be used to automatically copy the public key to the remote server.

ssh-copy-id user@yourdomain.com

This will usually complete the process. The content of id_rsa.pub is simply appended to the ~/.ssh/authorized_keys file on the remote server. Here is an example of copying the public key to the remote server manually if necessary.

cat ~/.ssh/id_rsa.pub | ssh user@yourdomain.com "cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

An error message showing "No such file or directory" may appear if the destination .ssh directory does not already exist. In this case, the directory will need to first be created.

ssh user@yourdomain.com "mkdir -p ~/.ssh && chmod 700 ~/.ssh"

Note: Neither the .ssh directory nor the authorized_keys file must allow group writable permissions for SSH key authentication to work successfully.

SSH should now use the private and public key pair for authentication. If there are any problems, the /var/log/secure log file on the remote server should provide some insight. However, this file is likely only viewable by an administrative user.