Security

How to set up ssh key authentication

Out of the box, secure shell is fairly secure. With the help of ssh key authentication, you can lock down secure shell so that only specific machines can log in. Here's how.

linuxsecurityhero.jpg
Image: Jack Wallen

If you're a Linux administrator, you most certainly are using secure shell to gain access to your remote servers. Why? Secure shell is far more trustworthy than many other means of logging into your remote servers. When you attempt to log into a remote server, you will be asked for a username and password. As you transmit that information it is encrypted, so there's no need to worry. However, what if you could add yet another layer of security? This is not only possible, it's actually quite simple.

I want to walk you through the process of setting up ssh key authentication for secure shell and disable password authentication. With this configured, only those with the proper ssh key will be able to log into your servers. I'll be demonstrating on the Ubuntu Server 16.04 platform, but this works on any Linux platform that uses secure shell. I will assume you already have secure shell installed on both a server and at least one client. Last but not least, I will be using the following IP addresses for my example:

  • Client - 192.168.1.198
  • Server - 192.168.1.162

It is also important that the user that will generate the ssh key also have accounts on both machines as well as be a member of the sudoers group on both machines.

Generating the ssh key

The first thing we must do is generate the ssh key on the server. Log into your server and issue the following command (as the user that will log in from the client):

ssh-keygen -t rsa

During the creation of the key, you have the option of creating an associated password or not. The benefit of not configuring a password is that you won't be prompted for it when you go to log into the server. Unless you absolutely have to have password-less authentication for your ssh key, I wouldn't recommend this.

Copying the key to the client

Once that command completes, you need to copy the key from the server to the client. The command to do this is:

 ssh-copy-id -i $HOME/.ssh/id_rsa.pub USER@192.168.1.198


Where USER is the username that will be logging into the server.

Testing the connection

When that finishes, it's time to test the connection. Go back to the client and issue the command:

ssh -v USER@192.168.1.162


Where USER is the username.

If you configured your ssh key without a password, you will immediately be logged into the server. If you setup your ssh key with a password, you'll be prompted for it. Type the ssh key password and you'll be logged in.

Disabling password authentication

If you successfully managed to log in, let's now configure secure shell such that it doesn't allow password authentication. To do this, open up the file /etc/ssh/sshd_config in your favorite editor and add the following line to the bottom of the file:

PasswordAuthentication no


Save and close that file.

Finally, restart ssh with the command:

sudo service ssh restart


Now, if you attempt to log into your server, you will not be able to do so without the added ssh key. Now that you're certain everything works, you can use the ssh-copy-id command (from the server) to each client machine that will need to be able to log into the server.

Enjoy the security

That's all there is to it! You can now only log into your server from machines that include your ssh key. Enjoy the added layer of security, brought to you by secure shell and secure shell authentication keys.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox