Public Key Authentication is a secure logging method using SSH. Instead of a password, the procedure uses a cryptographic key pair for validation. Although using a strong password helps prevent brute force attacks, public key authentication provides cryptographic strength and automated passwordless logins.
This guide gives step-by-step instructions on how to implement public key authentication from scratch.
- Command line/terminal access with administrator privileges.
- SSH enabled. Follow our guides to turn on SSH on Linux: Ubuntu 18.04, Debian 9 or 10.
- A local and remote server.
Using SSH Key for authentication
The SSH public key authentication has four steps:
1. Generate a private and public key, known as the key pair. The private key stays on the local machine.
2. Add the corresponding public key to the server.
3. The server stores and marks the public key as approved.
4. The server allows access to anyone who proves the ownership of the corresponding private key.
The model assumes the private key is secured. Adding a passphrase to encrypt the private key adds a layer of security good enough for most user-based cases. For automation purposes, key management software and practices apply since the private key stays unprotected otherwise.
Generating SSH Key Pair
Generate the SSH key pair on the local server using OpenSSH. The basic instructions for Linux, macOS, and Windows are outlined below.
Linux and macOS
1. Open the terminal (CTRL+ALT+T).
2. Check for existing keys with:
ls -l ~/.ssh/id*
If there are keys already, the output shows the directory contents:
Generating new keys overwrites the current ones by default. However, stating a new name for the keys saves them to different files.
If there are no existing keys, the output indicates the folder does not exist:
3. Create the directory using the mkdir command for storing the new key pair:
4. Change the permissions to 700:
chmod 700 ~/.ssh
5. The following command starts the key generator:
The output prints out a message, indicating the command ran successfully. Next, the program asks where to save the file:
The default directory and file for key storage is /home/<username>/.ssh/id_rsa. If you have existing keys you want to keep, enter a new file name. Otherwise, press Enter to save in the default location. If any keys already exist in this location, the program overwrites the data.
6. Finally, enter a passphrase to secure the key. Press Enter and confirm the passphrase once more when requested. The password is required any time you use the key for authentication.
7. Lastly, the program prints out information about where the keys are stored. Additionally, a digital and a graphic representation print to the console too.
8. Confirm the keys are in the directory by checking the contents:
ls -l ~/.ssh/
The directory now contains two files:
- id_rsa is the private key.
- id_rsa.pub is the public key.
1. Use the Windows search box to find cmd and open the Command Prompt window.
2. In the prompt, type:
The command starts the program for generating the key pair.
Note: Command not working? Don't worry. There are other ways to generate the keys. Try following our detailed tutorial for generating an SSH key pair on Windows 10.
3. If you set up a specific location for the keys, type in the path now. Otherwise, press Enter to save the keys in the default path.
If keys exist in this location, the output asks to confirm the overwrite. Type Y to confirm and press Enter to continue the setup.
4. Enter the passphrase to encrypt the private key. Re-enter the same passphrase and press Enter to finish generating the key pair.
Configuring one or multiple SSH/SFTP Users for Your Key
After generating a key pair, the next step is to configure the server machine for SSH and SFTP users for the key.
1. On the server machine, check if the ~/.ssh folder exists:
ls -l ~/.ssh/
If the directory is non-existent, create the folder:
Next, change the permissions with:
chmod 700 ~/.ssh
2. Create a file called authorized_keys in the ~/.ssh directory:
Change the permissions:
chmod 600 ~/.ssh/authorized_keys
3. Next, open the authorized_keys file using a text editor. Copy the public key contents into the authorized_keys file. For multiple users and keys, copy each new key onto a new line. Save the file and close.
In Linux, use this command to copy the key automatically:
The output shows the number of keys automatically copied to the server along with further instructions.
For transferring files via SSH, multiple solutions exist:
After generating and copying the keys, log into your server from the local machine using the following command:
Note: If you do not specify a username, SSH uses the currently logged in user.
The command brings up a prompt for entering the private key password:
Lastly, enter the password to unlock the key:
Once verified, the command logs you into the server via SSH.
Why should you use Public Key Authentication with SSH?
Public key authentication is a safer and recommended way to connect with SSH instead of a regular password login.
Some benefits are:
- The SSH key pair is harder to hack. Since most SSH keys are at least 1024 bits long, which is equivalent to a password with 12 characters, the connection is secure. To improve security even further, increase the number of bits when generating the keys.
- The contents of the keys are generated using a computer algorithm, making them harder to predict.
- Only the machine where the private key resides has access.
- Public key authentication never shows the contents of the private key to the server. In case of server compromise, the local machine stays safe.
- An added password to the private key adds multi-factor authentication.
At the end of this tutorial, you should have set up public key authentication for SSH. Whether you're accessing a remote server via SSH or using SFTP to transfer files between two locations, the key pair provides additional security.
For further details about SSH, read about the 5 Linux SSH Security Best Practices to Secure Your Systems.