How To Configure Key-Based Authentication for SSH

SSH keys can be used to increase the level of security for a user remotely authenticating to a Linux server through SSH. SSH keys are typically preferable in terms of security when compared to passwords as they are far less vulnerable to brute force attack, there is simply a lot more entropy in a key than password.

Here we are going to cover how to configure and use key-based authentication for SSH in Linux. Our test server in this example is running CentOS 7.

SSH keys are based upon public-key cryptography, whereby you will generate a key pair which includes a public key and a private key. The public key is stored on the destination server that you wish to access and will allow only the corresponding private key access.

It is therefore extremely important that you protect your private key, if an attacker is able to access this key then they will be able to log in as your user. Best practices dictate that your private key be encrypted with a passphrase which can be configured when you create the key pair. It’s also important that the private key file be readable and writable only by the user that owns the key, this would be permissions 0600 and is set as default on creation.

To create the key pair run the ‘ssh-keygen’ command as the user that you want to generate the key pair for, for instance as the root user you can generate a key for bob by first changing to bob with ‘su bob’ then running ‘ssh-keygen’ as below. The -t flag specifies the type of key to create, here we are using rsa version 2.

[[email protected] ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/bob/.ssh/id_rsa):
Created directory '/home/bob/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/bob/.ssh/id_rsa.
Your public key has been saved in /home/bob/.ssh/id_rsa.pub.
The key fingerprint is:
8e:dc:08:bb:8d:0e:12:04:22:ae:5e:f5:0a:21:3e:b0 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|+                |
|=                |
|.+ . .           |
|=.. o .          |
|Eo o.  .S        |
|..o .+.=         |
|... ..+ o        |
| . . +           |
|   .+ .          |
+-----------------+

[[email protected] ~]$ ls -la /home/bob/.ssh/
-rw-------. 1 bob bob 1766 Aug 19 16:41 id_rsa
-rw-r--r--. 1 bob bob  398 Aug 19 16:41 id_rsa.pub

In the above example we created the id_rsa private key file and corresponding id_rsa.pub public key file.

Next upload the public key to the remote server that you wish to access, this can be done manually or with the ssh-copy-id command as shown below. Note that the ssh-copy-id command will require that the account you are uploading the public key for already have SSH access to the destination server.

[[email protected] .ssh]$ ssh-copy-id [email protected]
The authenticity of host '1.2.3.4' can't be established.
ECDSA key fingerprint is 97:b6:fc:11:49:20:3c:10:ac:16:49:46:e5:56:03:30.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh [email protected]'"
and check to make sure that only the key(s) you wanted were added.

This will place the id_rsa.pub public key file on the destination server, in this case on ‘1.2.3.4’ within the ~/.ssh/authorized_keys file, you can then SSH to the destination by simply running ‘ssh [email protected]’ and you should be prompted for the passphrase for your private key if you have set one. If the user you have created the public key for does not have SSH access to the destination server, another user will need to place it within the desired users home directory within the ~/.ssh/authorized_keys file, ssh-copy-id is simply a script that does this over SSH for us.

Once an account has been set up to make use of SSH keys rather than a password you can optionally disable password authentication through /etc/ssh/sshd_config to increase security as shown below.

PasswordAuthentication no
PubkeyAuthentication yes

To apply these changes ensure the sshd service is restarted.

systemctl restart sshd

Summary

We have generated a new key pair with the ‘ssh-keygen’ command and uploaded the public key to the destination server with the ‘ssh-copy-id’ command. The user that created this key will now be able to SSH to the destination server without a password, however they will still be prompted to enter the passphrase for the private key if one has been set.

For further Linux security tips, see our 23 Hardening Tips To Secure Your Linux Server guide.


This post is part of our Red Hat Certified Engineer (RHCE) exam study guide series. For more RHCE related posts and information check out our full RHCE study guide.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>