SSH is the most widely used protocol to connect to a remote server and perform shell-based operations.
There are a lot of different ways to authenticate with SSH. The most common one is by using a password associated to a UNIX account on the remote server.
Another interesting technique is using a private/public keypair. It has some interesting benefits, the most interesting one being that it allows to log on the server without having to type a password. When you connect to lots of various systems on a daily basis, it makes for a pretty good speedup!
This tutorial will show you how to setup a public key-based authentication on a Linux-based server running OpenSSH.
Configuring the server
Most Linux distributions ship with an OpenSSH configuration that enables public key authentication. You can check using the following command:
root@srv# grep PubkeyAuthentication /etc/ssh/sshd_config PubkeyAuthentication yes
If the above command shows no you will need to edit the file to change the directive to yes. The next step is to check the path where sshd expects to find the list of public keys that a specific user will allow to be used.
root@srv# grep AuthorizedKeysFile /etc/ssh/sshd_config #AuthorizedKeysFile %h/.ssh/authorized_keys
In this case, the line is commented out but shows the default value, which is an “authorized_keys” file located in the “.ssh” directory of the user being authenticated.
If you had to edit the configuration file, you will need to reload the OpenSSH service. On Debian, the command is sudo service ssh restart.
Generating the keypair
We will go through the steps required to generate a keypair. A keypair, as its name stands, is a set of two keys: one is public and act as a lock, that can be unlocked only with the private key. Obviously, the private key is to be kept secret. The public key, however, can be publicly exposed, as its name suggest.
On a UNIX system
On UNIX systems, you can generate a keypair using the ssh-keygen command.
user@client$ ssh-keygen -t rsa -b 2048 Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: SHA256:cDdknmLaNIM123aljewdSwUVIZ1L58OjJoLHI05nw user@client The key's randomart image is: +---[RSA 2048]----+ | + . +==OX*.o.| | =.l+Xo=.+ | | + J @.E o o| | B B + . z | | . X | | @ | | . | | | | | +----[SHA256]-----+
We suggest that you use a non-empty passphrase to protect your private key from being used in case it gets compromised.
The command generated two files in the .ssh subdirectory in your home directory:
- id_rsa, which is your private key;
- id_rsa.pub, which in the public key.
Your private key is what your ssh client will use to authenticate against the server. For this to work, you will need to install your public key in your account on the server.
If you used the default path suggested by ssh-keygen, the ssh client will automatically use the key. Otherwise, you will need to use the -i switch when calling ssh to specitify the path to your private key.
On a Windows system
On Windows, you will need a tool like PuTTYgen to generate keys.
Below is a quick walkthrough to generate a key pair:
You can now copy the public key shown in the text box to the clipboard.
Save your key somewhere secure on your filesystem. You will need to make PuTTY point to this file later in order to authenticate.
Installing the public key on the remote server
Log onto the server using your password in order to get a shell. Then, create the .ssh directory if it doesn’t already exist.
You can now append your public key to the .ssh/authorized_keys file using this command:
user@client$ cat >> .ssh/authorized_keys << EOF > ssh-rsa AAAAC30cjdlAAEAAAAA09dFLw0f/Vjqw92ovjCLiw08f [...] DjfcajoW== user@client > EOF
From a UNIX system
Just connect as you usually do using ssh. If you stored your private key in a non-default location, remember you will need to use the -i switch to specify its path to the SSH client.
If you used a passphrase to protect your private key, you will be asked to enter it in order to unlock it.
You should then be logged in.
From a Windows system
In PuTTY, you will need to edit your session to specify the .ppk file generated by PuTTYgen. This is done in the Connection > SSH > Auth section, in the Private key file for authentication parameter. Click Browse… and point to the PPK file containing your private key.
Authenticating using a key pair is more secure than just using a password. The mechanism can be further secured if you use a passphrase to protect your private key, and even more if you then disable password authentication to allow only public key authentication.
In a future tutorial, we’ll cover how to make the use of keys easier by loading them in an agent that would allow you to avoid having to type your passphrase each time you need to use the key.