{"id":2478,"date":"2019-03-30T09:26:03","date_gmt":"2019-03-30T06:26:03","guid":{"rendered":"http:\/\/kifarunix.com\/?p=2478"},"modified":"2019-03-30T09:46:51","modified_gmt":"2019-03-30T06:46:51","slug":"configure-ssh-public-key-authentication-in-linux","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-ssh-public-key-authentication-in-linux\/","title":{"rendered":"Configure SSH Public Key Authentication in Linux"},"content":{"rendered":"

This guide presents the simplest way of how to configure SSH public key authentication in Linux server. Logging in to a system via SSH public key is more secure as compared to password authentication. In our previous guide, we discussed how to disable SSH password login for specific users<\/a>. Note that when you disable password authentication for user, the only way to login is by use of SSH keys.<\/p>\n

Configure SSH Public Key Authentication in Linux<\/h3>\n

In order to explicitly allow SSH public key authentication for anyone who is logging into a Linux system, you need to disable SSH password authentication. This can be done by setting the value of the PasswordAuthentication<\/code> directive to no<\/code> in sshd_config<\/code> file. By default, SSH is configured to allow password based login. That is why you can still login with the directive PasswordAuthentication<\/code> set to yes and commented out.<\/p>\n

vim \/etc\/ssh\/sshd_config<\/code><\/pre>\n
...\r\n# To disable tunneled clear text passwords, change to no here!\r\n#PasswordAuthentication yes\r\nPasswordAuthentication no<\/strong>\r\n...<\/code><\/pre>\n
If you need to disable password authentication for a specific user, use the Match directive to define the user. See our previous article<\/a> for more details.<\/p>\n
Reload SSHd.<\/p>\n
systemctl reload ssh<\/code><\/pre>\n
Next, if you try to login without user SSH public key having been copied to the target server, you will get Permission denied (publickey)<\/code>.<\/p>\n
ssh amos@192.168.0.107\r\namos@192.168.0.107: Permission denied (publickey).<\/code><\/pre>\n
NOTE<\/strong> that before you can configure SSH to allow public key authentication only, you need to first generate and copy the SSH keys for the user you intend to use for logging in with, lest you wont be able to copy the SSH keys nor login as that user thereafter. Hence,<\/p>\n
Generate SSH Keys<\/h3>\n
SSH keys can be generated using the ssh-keygen<\/code> command line tool.<\/p>\n
ssh-keygen<\/code><\/pre>\n
Generating public\/private rsa key pair.\r\nEnter file in which to save the key (\/home\/mibey\/.ssh\/id_rsa): ENTER<\/strong>\r\nEnter passphrase (empty for no passphrase): P@SSword<\/strong>\r\nEnter same passphrase again: P@SSword<\/strong>\r\nYour identification has been saved in \/home\/mibey\/.ssh\/id_rsa.\r\nYour public key has been saved in \/home\/mibey\/.ssh\/id_rsa.pub.\r\nThe key fingerprint is:\r\nSHA256:DNxhVMB08hrzDPi0CbZiMbYxgtNBEkSjMyDqvLL9T8c amos@u18svr\r\nThe key's randomart image is:\r\n+---[RSA 2048]----+\r\n|B*o    +Boo      |\r\n|=+.. . +.=       |\r\n|B o * * * .      |\r\n|o+ o B B X       |\r\n| o  + . S o      |\r\n|  .. . .         |\r\n|..    . E        |\r\n|.o   . .         |\r\n|. .....          |\r\n+----[SHA256]-----+<\/code><\/pre>\n
If you need to generate passwordless key, leave the password prompt blank by pressing ENTER. If you need to save the key to different file, specify the file path.<\/p>\n
Note that to generate SSH keys for a specific user, you need to be logged in as that user. The key files are usually stored in the ~\/.ssh<\/code> directory<\/p>\n
Copy SSH Keys to Server<\/h3>\n
Once you have generated the keys, you can install it as an authorized key on the server using the ssh-copy-id<\/code> command.<\/p>\n
ssh-copy-id amos@192.168.0.108\r\n\/usr\/bin\/ssh-copy-id: INFO: Source of key(s) to be installed: \"\/home\/mibey\/.ssh\/id_rsa.pub\"\r\n\/usr\/bin\/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed\r\n\/usr\/bin\/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys\r\namos@192.168.0.108's password: USER PASSWORD<\/strong>\r\n\r\nNumber of key(s) added: 1\r\n\r\nNow try logging into the machine, with:   \"ssh 'amos@192.168.0.108'\"\r\nand check to make sure that only the key(s) you wanted were added.<\/code><\/pre>\n
If the key is not saved on the default directory, you can specify the file using -i<\/code> option.<\/p>\n
ssh-copy-id -i ~\/.mykeys amos@192.168.0.108<\/code><\/pre>\n
Now, if you attempt to login to the server, you will be prompted to enter the key passphrase if at all you had signed it with a passphrase. Otherwise, it will just login without passphrase prompt.<\/p>\n
ssh 'amos@192.168.0.108'\r\nEnter passphrase for key '\/home\/mibey\/.ssh\/id_rsa': KEY PASSPHRASE<\/strong><\/code><\/pre>\n
This will read the SSH key from the default directory. To specify a different key, pass option -i.<\/p>\n
ssh -i ~\/.mykeys 'amos@192.168.0.108'<\/code><\/pre>\n
Any other user that tries to login without SSH key, will get;<\/p>\n
ssh root@192.168.0.108\r\nroot@192.168.0.108: Permission denied (publickey).<\/code><\/pre>\n
That is all about how to configure SSH public key authentication in Linux systems.<\/p>\n
If you need to allow or deny specific users from logging into a linux server, check our previous article;<\/p>\n