Key-based authentication is a more secure method for accessing your Linux server via Secure Shell (SSH) than using a password. It relies on a pair of cryptographic keys – a private key stored on the client machine and a public key stored on the server. In this article, we’ll guide you through setting up key-based SSH login in Linux, including generating keys, transferring public keys, and configuring the server.
Step 1: Generate an SSH Key Pair
The first step in setting up key-based SSH login is to generate an SSH key pair on the client machine. Open a terminal on your local machine (Linux or macOS) and run the following command:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
Replace “your_email@example.com” with your actual email address. This command will generate a 4096-bit RSA key pair. You will be prompted to enter a file name and location for the key pair. If you press Enter without specifying a location, the keys will be saved in the default location (~/.ssh/id_rsa
for the private key and ~/.ssh/id_rsa.pub
for the public key).
Next, you’ll be prompted to enter a passphrase for your key pair. It’s recommended to use a strong, unique passphrase for added security.
Step 2: Transfer the Public Key to the Server
Now that you’ve generated your SSH key pair, transfer the public key to your Linux server. Use the ssh-copy-id command to copy the public key to the server:
ssh-copy-id user@server_address
Replace “user” with your username on the server and “server_address” with the server’s IP address or hostname. You’ll be prompted to enter your password for the server. Once the public key is successfully copied to the server, it will be stored in the ~/.ssh/authorized_keys file for the specified user.
If ssh-copy-id is unavailable on your system or you’re using a Windows machine, you can manually transfer the public key using SCP or SFTP. First, copy the public key’s content, then log in to the server using your password, and add the public key content to the ~/.ssh/authorized_keys file:
mkdir -p ~/.ssh
echo "PASTE_PUBLIC_KEY_CONTENT_HERE" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
Step 3: Configure the SSH Server
To enable key-based authentication, you must configure the SSH server on your Linux machine. Edit the SSH configuration file, usually located at /etc/ssh/sshd_config, using your preferred text editor:
sudo nano /etc/ssh/sshd_config
Ensure that the following lines are present and uncommented in the configuration file:
1 2 | PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys |
Optionally, if you want to disable password authentication completely, change the PasswordAuthentication directive to “no”:
1 | PasswordAuthentication no |
Save the changes and restart the SSH service to apply the new configuration:
sudo systemctl restart sshd
Step 4: Test Key-based SSH Login
To test the key-based SSH login, open a terminal on your local machine and run the following command:
ssh user@server_address
If you’ve set a passphrase for your key pair, you’ll be prompted to enter it. Once authenticated, you should be logged in to the server without needing to provide your password.
Troubleshooting
If you encounter issues with key-based SSH login, check the following:
- Ensure that the public key is correctly added to the ~/.ssh/authorized_keys file on the server.
- Verify that the SSH server configuration (/etc/ssh/sshd_config) allows public key authentication and the AuthorizedKeysFile directive points to the correct file.
- Check the permissions of the ~/.ssh directory and the authorized_keys file on the server. The ~/.ssh directory should have permissions set to 700, and the authorized_keys file should have permissions set to 600.
Conclusion
Setting up key-based SSH login in Linux is a crucial step in securing remote access to your server. By following this guide, you’ve learned how to generate an SSH key pair, transfer the public key to your server, and configure the SSH server to accept key-based authentication. This method not only enhances the security of your server but also simplifies the login process by eliminating the need to remember and enter passwords manually.
4 Comments
I have been browsing online more than 3 hours today, yet I never found any
interesting article like yours. It’s pretty worth enough for me.
In my view, if all website owners and bloggers
made good content as you did, the web will be much more useful
than ever before.
Great post.
Great post. I was checking constantly this
blog and I’m impressed! Extremely helpful information specially the last part 🙂 I care for such information much.
I was looking for this certain info for a long
time. Thank you and good luck.
Excellent post. I was checking continuously this blog and I am impressed!
Very useful info specially the last part 🙂 I care for such info much.
I was seeking this particular information for
a long time. Thank you and good luck.