Why the Keys?
SSH access using public key authentication is one of the most commonly used as well as secure method for automated and interactive connections to your Linux server. Public key authentication provides a very strong cryptographic strength compared to the security strength of any strong password string. SSH authentication over keys can can be configured to complete the process over the keys without the need of a password and hence it is considered as more easy, secure and fast with proper setup. Public key authentication works based on a set of keys specific for each user, called a public key-private key pair. The public key generated from the SSH client machine is copied to the authorized_keys file of the SSH server and that makes SSH server to consider the key as trusted. The transferred data from the server to client will be encrypted with this public key which can only be decrypted by the client holding the paired private key to confirm the authentication and further key exchanges between client and server for further communication.
How to setup SSH Key based Authentication
Our aim is to generate the public-private key pairs, store the private key in .ssh directory inside the user’s home directory and transfer the public key to the server side authorized_keys file.
Create the key directory.
Login to the SSH client machine from where you are trying to setup SSH authentication to server.
mkdir -p ~/.ssh
Secure .ssh directory for restricted access only for the SSH user.
chmod 700 ~/.ssh
Generate the key pairs.
ssh-keygen -t rsa
Follow the on screen messages to interactively create the keys, input a password (optional) to secure the private keys, this will be asked during SSH session if you set a password for private key access.
Copy the public key to the authorized_keys in server.
You can either copy the txt from file ~/.ssh/id-rsa.pub and paste it to the ~/.ssh/authorized_keys file in server. Or you can use the ssh-copy-id utility in the below format for the key transfer.
ssh-copy-id -i ~/.ssh/id_rsa.pub user@server
-i flag is used to input the identity file or public key. Enter the user password when prompted.
Disable password authentication and enable publik_key authentication.
Login to the server as root use, open the file /etc/sshd/sshd.config with any text editor and make sure to change the the directives as shown below.
PubkeyAuthentication yes PasswordAuthentication no
Make sure to enable SSH root login if you are configuring the SSH keys for the root user access.
Restart SSH Service in Server and try the SSH connection from client, use the -vv flag with SSH command if you encounter any connection issues.
ssh -vv email@example.com
Make sure to keep the private keys safe. Directory ownership and permissions should be for that user chmod 600 ~/.ssh/id_rsa
You can use same key pair to setup authentication in more than one client-server setup which require the same private-public keys to be placed in their respective locations.