In this tutorial, I will show how to set up secure public key authentication.
You might need root privileges for certain tasks.
How to do it…
Follow these steps to set up public key authentication:
Add a new user. You can skip this step if you have already created a user:
$ sudo adduser john
Log in as
john and change to the
home directory with
.ssh directory if it doesn’t already exist:
$ mkdir .ssh
Create a file named
authorized_keys under the
$ touch .ssh/authorized_keys
Set permissions on the
.ssh directory to
$ chmod 700 .ssh
Set permissions for
$ chmod 600 .ssh/authorized_keys
Generate public key pair on your local system with the following command:
Copy the generated public key from the
.ssh/id_rsa.pub file to the
authorized_keys file on the server.
Now, open an
ssh connection from local to server with the following command:
$ ssh john@server
If asked for confirmation, type
yes and press the key to continue:
How it works…
To enable login on the system using public-key authentication, you should have public and private key pairs.
First, you need to log in on the server using different SSH-supported authentication methods like password-based authentication.
You can then generate key pairs using an ssh-keygen command; It will create two files under the .ssh directory located in the user’s home directory.
id_rsa: This is the private key file
id_rsa.pub: This is the public key file
You can view the contents of the files with
$cat id_rsa.pub. It should start with something like
ssh-rsa AAAA...(except for the trailing dots).
We then copy the contents of public key to the server’s
authorized_keys file. Ensure that all contents are listed on single line in the
Also, ensure the permissions are properly set for the
.ssh directory, and ensure that the
authorized_keys file and directory are owned by the user. The permissions for the
.ssh directory limits read, write, and execute permissions to the owner of the file. Similarly, for
authorized_keys file, permissions are limited to read and write for owner only. This ensures that no other user can modify the data in the
.ssh directory. If these permissions are not properly set, the SSH daemon will raise the warning
Working of SSH authentication
When the SSH client initiates a connection with the server, the server sends public key identification of server to client. If a client is connecting to the server for the first time, it shows a warning and asks for user confirmation to store the server key in the
known_hosts file under the
.shh directory. After receiving the identity, the client authenticates server to ensure that it is really the intended server.
After server authentication, the server sends a list of possible authentication methods. The client selects the authentication method and selection to the server. After receiving the authentication method, the server sends a challenge string encrypted with client’s private key. The client has to decrypt this string and send it back to server along with previously shared session key. If the response from the client matches the response generated by the server, then client authentication succeeds.
You might be searching for a secure option to install key on server. Here’s one way!
If your local system has the
ssh-copy-id tool installed, you can directly add your public key to the server’s
authorized_keys file with a single command:
$ ssh-copy-id john@serverdomain
After providing the password, your local public key will be added to the
authorized_keys file under the
.ssh directory of the user
Troubleshooting SSH connections
- Check if the SSH daemon is running. Check the port in use and port conflicts, if any
- Check whether the firewall configuration allows SSH ports
- Check the list of configuration methods that are enabled
- Check permissions for your private keys on your local system
authorized_keysfile for your public key on the server
- Check for any entry with the old address of the server in
known_hostson the local system
Additionally, you can use the verbose flag (
-vvv) with the
ssh command to get details of every step taken by the SSH client. Also, check SSH daemon logs on server.
SSH tools for the Windows platform
putty.exe: This is the SSH client on Windows
puttygen.exe: This tool generates public or private keys
pscp.exe: This is the SCP client for secure file transfer
When using public key generated by the
puttygen.exe tool, make sure that you convert the key to OpenSSH key format. Remove all comments and prepend
ssh-rsa. Additionally, the entire key should be listed on a single line.