How to Setup SSH Key Authentication on Linux Servers

SSH (Secure Shell) is the go-to protocol for secure remote access and file transfers over a network. SSH key authentication offers a more secure way to log in to your Linux server compared to using a password. This guide will walk you through the steps needed to set up SSH key authentication on a Linux server to help you improve your security posture.

Prerequisites

  • A Linux server with SSH service installed
  • A local machine running Linux, macOS, or Windows
  • Basic Linux command-line knowledge

Step 1: Generate SSH Key Pair

Firstly, you need to generate an SSH key pair on your local machine.

For Linux and macOS:

Open a terminal and run:
ssh-keygen -t rsa -b 2048
When asked where to save the generated key, you can press Enter to save it to the default directory (~/.ssh/).

For Windows:

You can use utilities like PuTTYgen to generate an SSH key pair. You can open PuTTYgen by searching for it in the Start menu.

Once you have opened PuTTYgen, you can generate SSH keys by following these steps:

  1. Click the “Generate” button.
  2. Move your mouse around the blank area to generate randomness.
  3. Once the key has been generated, you can enter a passphrase to protect your key. This is optional, but recommended.
  4. Click the “Save public key” button to save your public key. This is the key you will add to your server.
  5. Click the “Save private key” button to save your private key. This is the key you will use to connect to your server.

Step 2: Copy Public Key to the Server

Next, copy the public key to your server.

Option 1: Using ssh-copy-id (Linux & macOS)

Open the terminal and run the following command:

ssh-copy-id username@server_ip_address

Option 2: Manual Method

If ssh-copy-id is not available, such when you’re on a Windows computer, you can manually copy the public key.

Go to where you saved your SSH key on your system. For Linux and macOS, this is typically in ~/.ssh/ and for Windows, this will be wherever you specified. Find the file name that ends in .pub and open it in a text editor. Copy all the text in this file.

Now you will have to go to your server and run the following command:

mkdir -p ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys

Now open the authorized_keys file using a text editor on the server – it can be nano or vim, whichever your preference is.

Paste your key into the file and save it. Exit your text editor.

Step 3: Modify SSH Configuration

Now you will want to modify your server’s SSH configuration to only allow Public Key Authentication and disable password authentication. This will make it impossible for bots and attackers to try and brute force your server over SSH.

Open the configuration file in a text editor as root or use sudo:

nano /etc/ssh/sshd_config

Look for the following lines and make sure they are set as follows:

PubkeyAuthentication yes
PasswordAuthentication no

Save the file and exit the text editor.

Step 4: Restart the SSH Service

Finally, restart the SSH service to apply the changes.

systemctl restart sshd

Step 5: Test the SSH Key Login

From your local machine, try to SSH into your server:

ssh username@server_ip_address

If you’re on Windows, you will need to load your private key into Pagent if you’re using Putty and then you can use Putty like normal to SSH into your server.

If setup correctly, you will be logged in without being asked for a password.

Troubleshooting Tips

Permission Issues. Make sure that your .ssh directory and authorized_keys file have the correct permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Debugging. Use verbose mode to debug SSH connection issues:

ssh -v username@server_ip_address

Conclusion

SSH key authentication is a robust security measure for your Linux server. This guide should help you set up SSH key-based authentication, making your remote connections more secure. Remember, good security uses layers so you should also make sure you secure your private key, use a non-standard port for SSH, and even disallow the root user from being able to SSH completely.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.