In this article we are going to learn How to use public key authentication with SSH under Linux / UNIX environments.
As of this article we are using Debian based operating system Ubuntu 12.04 LTS.
Note: These instructions work under Ubuntu 10.04 LTS, Ubuntu 13, CentOS / RHEL / Redhat Enterprise Linux, Debian 6, Debian 7 or even any traditional Linux / UNIX operating system.
Why use public key authentication?
Public key authentication provides SSH users with two advantages over standard PAM password-based authentication. First, it is easier to use, it has improved security capabilities, and it is even required in some cases to be used in a bash script or applications leveraging customized automation or installations.
Public keys can also handle the complete authentication process for you, eliminating the need to enter a password or passphrase.
A public key system is exceedingly robust, which makes using SSH with public keys an important part of a sensible security strategy.
How public key authentication works with SSH?
Authentication keys come in two parts. A "public key" is a component that is stored in the "~/.ssh/authorized_keys" file of any server where you want access.
The other "private key" component is stored only on your local system and allows you to access to any machine with the "public key" properly stored on the server you want to access.
It is impossible to deduce the contents of the private key given the public key. The private key is equivalent in power to a username and password that we usually use to connect to a system.
Protecting private keys
It is very important to protect your private keys accordingly as they contain very crucial content. We can ensure security of these keys by encrypting these keys locally, the permissions for the private key should be assigned to the user and/or group, not everyone.
Please note: Using public key authentication with SSH without any passphrase is not recommended. However, it is required at times in certain use cases.
Installing and generating keys
Now, we are going to generate keys. You need OpenSSH package which usually comes installed by default in almost every Linux/UNIX distribution. However, if for some reason it is not installed, you can install it under CentOS / Redhat / RHEL using below command:
sudo yum -y install openssh-server openssh-clients
If you are using Debian / Ubuntu operating system you can use the below command to install:
sudo apt-get install openssh-server openssh-client
We will use two terms below. Understanding these two concepts is very important in order to configure public key authentication with SSH successfully.
We will be referring to
1) “Local System” as the host from which we want to access a remote machine / server without or with a passphrase. We will have the choice, which we will discuss later in this article.
2) “Remote System” will mean the host which we are accessing from the “Local System”
To generate SSH keys for our “Local System” host, we use the command below:
This command uses the “RSA” algorithm as default. If you would like to use the “DSA” algorithm for encryption you can append the command/switch as follows:
ssh-keygen -t dsa
A discussion of the differences between these encryption algorithms is beyond the scope of this article.
Answer all questions when prompted. The default answers are usually acceptable for most cases. When the process is complete, ssh-keygen generates an SSH key using the RSA algorithm which we had chosen as our choice of encryption.
The SSH keys we have generated are located in the ~/.ssh/ directory.
We will find the private key in the ~/.ssh/id_rsa file and the public key in the ~/.ssh/id_rsa.pub file.
Now, we can copy the public key into the ~/.ssh/authorized_keys file on “Remote System” by using the commands below. Please make changes to hostname and user below as per your environment.
scp ~/.ssh/id_rsa.pub firstname.lastname@example.org:/home/shellways/.ssh/uploaded_key.pub
We can now run the command on the “Remote System” using SSH:
ssh email@example.com "echo ´cat ~/.ssh/uploaded_key.pub´ >> ~/.ssh/authorized_keys"
Log into your server using public key
Congratulations! You can now log in to your server using your public key and it will ask you if you have set any passphrase. Otherwise, you can login to the “Remote System” without a password if no passphrase has been set.
This article has been provided by Codero Hosting, the leading provider of reliable dedicated, managed and cloud hosting services. Need more information on this topic or to learn more about Codero’s hosting services please visit www.codero.com, chat with us online or give us a call at 866-2-CODERO.