How to set up SSH Public-key Authentication to Connect to a Remote Server - SnapShooter Tutorials
Excerpt
IntroductionSSH is a free, open-source, and secure protocol used for managing remote servers via command-line interface. It is often used by the system
Introduction
SSH is a free, open-source, and secure protocol used for managing remote servers via command-line interface. It is often used by the system administrators to connect and manage remote Linux servers. There are two ways to connect remote SSH servers, password-based authentication and key-based authentication.
Public Key Authentication is a secure method to log in to a remote server without providing a password. This method uses a cryptographic key pair for validation. It helps you to prevent brute force attacks. In this method, only users with a public key can able to connect to a server.
SSH key pairs are stored in plain-text files and consists of two parts:
-
Private Key - The private key is created with the name id_rsa and store on your local system.
-
Public Key - The Public key is created with the name id_rsa.pub. You will need to copy this key to the remote server you intend to log in to.
In this post, we will show you how to set up public-key authentication to connect to a remote Linux server.
Requirements
-
A server running Ubuntu 20.04 operating system.
-
A root password is set up on your server.
Generate an SSH Key Pair
In order to configure SSH key authentication, you will need to generate an SSH key pair on your local system. You can generate a key pair using the RSA algorithm.
<!-- Syntax highlighted by torchlight.dev --><p><span>ssh-keygen </span><span>-t</span><span> </span><span>rsa</span></p>
You will be asked to supply a filename and location of the file as shown below:
<!-- Syntax highlighted by torchlight.dev --><p><span>Generating </span><span>public/private</span><span> </span><span>rsa</span><span> </span><span>key</span><span> </span><span>pair.</span><span> </span><span>Enter</span><span> </span><span>file</span><span> </span><span>in</span><span> </span><span>which</span><span> </span><span>to</span><span> </span><span>save</span><span> </span><span>the</span><span> </span><span>key</span><span> (/root/.ssh/id_rsa):</span></p>
Leave it default and press Enter. You will be asked to provide a password to protect your private key file:
<!-- Syntax highlighted by torchlight.dev --><p><span>Enter </span><span>passphrase</span><span> (empty </span><span>for</span><span> </span><span>no</span><span> </span><span>passphrase</span><span>): </span><span>Enter</span><span> </span><span>same</span><span> </span><span>passphrase</span><span> </span><span>again:</span></p>
Just press Enter to generate a key pair as shown below:
<!-- Syntax highlighted by torchlight.dev --><p><span>Your </span><span>identification</span><span> </span><span>has</span><span> </span><span>been</span><span> </span><span>saved</span><span> </span><span>in</span><span> </span><span>/root/.ssh/id_rsa.</span><span> </span><span>Your</span><span> </span><span>public</span><span> </span><span>key</span><span> </span><span>has</span><span> </span><span>been</span><span> </span><span>saved</span><span> </span><span>in</span><span> </span><span>/root/.ssh/id_rsa.pub.</span><span> </span><span>The</span><span> </span><span>key</span><span> </span><span>fingerprint</span><span> </span><span>is:</span><span> </span><span>b2:fb:b5:16:99:02:ca:00:d1:f1:6b:99:81:ab:74:83</span><span> </span><span>root@newpc</span><span> </span><span>The</span><span> </span><span>key</span><span>'</span><span>s randomart image is: +--[ RSA 2048]----+ |.o.. | |. .o | | .. o | | o. =. | | E.==...S o | |....+ o. + | |. . ... | | . ... | | ..... | +-----------------+</span></p>
You can check the generated keys using the following command:
<!-- Syntax highlighted by torchlight.dev --><p><span>ls </span><span>-l</span><span> </span><span>~</span><span>/.ssh/</span></p>
You should see both keys in the following output:
<!-- Syntax highlighted by torchlight.dev --><p><span>-rw------- </span><span>1</span><span> </span><span>root</span><span> </span><span>root</span><span> </span><span>1675</span><span> </span><span>Sep</span><span> </span><span>18</span><span> </span><span>12:30</span><span> </span><span>id_rsa</span><span> </span><span>-rw-r--r--</span><span> </span><span>1</span><span> </span><span>root</span><span> </span><span>root</span><span> </span><span>392</span><span> </span><span>Sep</span><span> </span><span>18</span><span> </span><span>12:30</span><span> </span><span>id_rsa.pub</span><span> </span><span>-rw-r--r--</span><span> </span><span>1</span><span> </span><span>root</span><span> </span><span>root</span><span> </span><span>3108</span><span> </span><span>Aug</span><span> </span><span>25</span><span> </span><span>16:59</span><span> </span><span>known_hosts</span></p>
Copy a Public Key to a Remote Server
There are several ways to copy a public key to the remote server. Here, we will show you two methods to copy a public key to the remote server.
Copy a Public Key Using ssh-copy-id
The simple and easiest way to copy your public key to the remote server is to use a ssh-copy-id command utility.
Run the following command to copy your public key to the remote server:
<!-- Syntax highlighted by torchlight.dev --><p><span>ssh-copy-id </span><span>root@remote_host</span></p>
You will be asked to provide a password of remote server as shown below:
<!-- Syntax highlighted by torchlight.dev --><p><span>The </span><span>authenticity</span><span> </span><span>of</span><span> </span><span>host</span><span> </span><span>'</span><span>remote_host (remote_host)</span><span>'</span><span> </span><span>can</span><span>'</span><span>t be established. ECDSA key fingerprint is 47:86:4c:84:08:42:cb:2e:bb:99:d4:ae:22:59:3a:b5. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@remote_host</span><span>'</span><span>s</span><span> </span><span>password:</span></p>
Provide your root password and hit Enter. You should get the following output:
<!-- Syntax highlighted by torchlight.dev --><p><span>Number </span><span>of</span><span> </span><span>key</span><span>(s) </span><span>added:</span><span> </span><span>1</span><span> </span><span>Now</span><span> </span><span>try</span><span> </span><span>logging</span><span> </span><span>into</span><span> </span><span>the</span><span> </span><span>machine,</span><span> </span><span>with:</span><span> </span><span>"</span><span>ssh 'root@remote_host'</span><span>"</span><span> </span><span>and</span><span> </span><span>check</span><span> </span><span>to</span><span> </span><span>make</span><span> </span><span>sure</span><span> </span><span>that</span><span> </span><span>only</span><span> </span><span>the</span><span> </span><span>key</span><span>(s) </span><span>you</span><span> </span><span>wanted</span><span> </span><span>were</span><span> </span><span>added.</span></p>
Copy a Public Key Using SSH
You can also use the SSH command to copy your public key to the remote server.
Run the following command to copy your public key to the remote server:
<!-- Syntax highlighted by torchlight.dev --><p><span>cat </span><span>~</span><span>/.ssh/id_rsa.pub</span><span> </span><span>|</span><span> ssh </span><span>root@remote_server</span><span> </span><span>"</span><span>cat >> ~/.ssh/authorized_keys</span><span>"</span></p>
Verify SSH Key-based Authentication
At this point, SSH key-based authentication is configured between your local system and remote server. You can now verify it using the following command:
<!-- Syntax highlighted by torchlight.dev --><p><span>ssh </span><span>root@remote_host</span></p>
If everything is fine, you can log in to a remote server without providing any password:
<!-- Syntax highlighted by torchlight.dev --><p><span>Welcome </span><span>to</span><span> </span><span>Ubuntu</span><span> </span><span>20.04</span><span> </span><span>LTS</span><span> (GNU/Linux </span><span>5.4.0-29-generic</span><span> </span><span>x86_64</span><span>) </span><span>*</span><span> </span><span>Documentation:</span><span> </span><span>https://help.ubuntu.com</span><span> </span><span>*</span><span> </span><span>Management:</span><span> </span><span>https://landscape.canonical.com</span><span> </span><span>*</span><span> </span><span>Support:</span><span> </span><span>https://ubuntu.com/advantage</span><span> </span><span>Last</span><span> </span><span>login:</span><span> </span><span>Sat</span><span> </span><span>Sep</span><span> </span><span>18</span><span> </span><span>05:56:08</span><span> </span><span>2021</span><span> </span><span>from</span><span> </span><span>106.222.22.32</span><span> </span><span>root@ubuntu2004:~#</span></p>
Disable Password Authentication on Remote Server
At this point, you have successfully configured SSH key-based authentication. However, your password-based authentication is still enabled on remote servers. So it is a good idea to disable the password authentication on a remote server.
You can disable the password authentication on remote server by editing /etc/ssh/sshd_config file:
<!-- Syntax highlighted by torchlight.dev --><p><span>nano </span><span>/etc/ssh/sshd_config</span></p>
Change the following line:
<!-- Syntax highlighted by torchlight.dev --><p><span>PasswordAuthentication </span><span>no</span></p>
Save and close the file then restart the SSH service to apply the changes:
<!-- Syntax highlighted by torchlight.dev --><p><span>systemctl </span><span>restart</span><span> </span><span>ssh</span></p>
Conclusion
Congratulations! you have successfully configured SSH key-based authentication between your local system and remote Linux server. You can now log in to the remote server without providing a root account password.