How To Setup SSH Key Pair Authentication

How To Setup SSH Key Pair Authentication

How To Setup SSH Key Pair Authentication

SSH keys are the preferred secured method of logging into a Linux server. Brute-forcing has become an easy and likely solution for hackers over the years. Although we can use fail2ban etc. SSH keys continue to be the most reliable and secure alternative.

Let's take a look at creating an SSH key pair on. You should already have OpenSSH and its suite of tools installed on your OS as the package is typically installed by default. This will give you the programs you need to create your key pair.

You can perform this action on the server itself or on your local machine. In this example we are going to work from the local machine so that we can use ssh-copy-id. Also notice, that when performing this step, by not changing the default location your SSH Client will be automatically able to find your ssh keys..

Note: If you have already generated a key pair previously, you will see a message asking if you want to overwrite. If you overwrite your existing keys you will not be able to recover the previous keys, and you will not be able to authenticate to the machines that used them.

$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/kali/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

By default keys are stored in ~/.ssh. The private key will be called id_rsa and the public key will be called id_rsa.pub

When running the above command you will be asked to enter a passphrase. This is optional, but it used to encrypt the private key file on disk.

Here are the reasons you should still use a password.

- The private SSH key is never exposed on the network and therefore is not vulnerable to network-based brute-forcing. The password is only used to decrypt the key on the local machine.

- The Private Key is kept in a restricted directory with restricted permissions with read/write only being available to the owner.

- The key can only been cracked if the attacker already has access to the system and the root account or key owners account. Still, this will prevent them from immediately being able to log into any other systems that may be using the same key.

Congratulations, you now have a SSH key pair that can be used to login to your Linux servers. In the next step we will place the public key on your server so that you can use the key to authenticate during login.

$ ssh-copy-id username@remote_host

...

Are you sure you want to continue connecting (yes/no)? yes

You may see a message like above asking if you want to continue. This happen when it is the first time you are connecting to a remote host. If you have not logged in via SSH to the host you are configuring, then this is why you are seeing the message.

Our ssh-copy-id tool will scan our local machine for the id_rsa.pub file that we created earlier. Once found, you will be prompted for the user password for the remote machine.

After entering the password the tool will copy the public key to the ~/.ssh/authorized_keys directory of the user you are logging in as. You will see a message stating the number of keys added.

Let's see if our key is working.

$ ssh username@remote_host

Awesome, looks like our key is working. The last step, is to Disable Password Authentication in our OpenSSH server.

$ sudo vim /etc/ssh/sshd_config

Once the file is open, type /PasswordAuth to jump to the PasswordAuthentication configuration and set it no. Once set to "no" press ESC and type :wq to Write & Exit

$ sudo systemctl restart ssh

All done! You have now create an SSH key pair and configured your Linux server to only allow authentication via your private key. DO NOT LOSE YOUR KEY!

Back to blog

Leave a comment

Please note, comments need to be approved before they are published.