SSH Key Authentication

TL;DR

This guide shows you how to securely authenticate users using SSH keys instead of passwords for access to your servers or services. It’s more secure and convenient than typing in a password every time.

1. Generate an SSH Key Pair

You need a key pair: a private key (keep this secret!) and a public key (you share this).

1. On your local machine, open a terminal or command prompt.
2. Run the following command to generate a new SSH key pair. Replace [email protected] with your actual email address:

   ssh-keygen -t rsa -b 4096 -C "[email protected]"

3. You’ll be prompted to enter a file in which to save the key (usually just press Enter to accept the default: ~/.ssh/id_rsa).
4. You’ll then be asked for a passphrase. This adds an extra layer of security; it’s highly recommended, but optional. If you set one, remember it!

This creates two files in your ~/.ssh/ directory:

• id_rsa: Your private key – never share this file.
• id_rsa.pub: Your public key – this is what you’ll copy to the server.

2. Copy the Public Key to the Server

There are several ways to do this. We’ll cover two common methods.

Method 1: Using ssh-copy-id (Recommended)

1. If you have ssh-copy-id installed on your local machine, use the following command. Replace user@server_ip_address with your server’s username and IP address:

   ssh-copy-id user@server_ip_address

2. You’ll be prompted for the server’s password one last time. This command automatically appends your public key to the ~/.ssh/authorized_keys file on the server.

Method 2: Manual Copying

1. Display the contents of your public key:

   cat ~/.ssh/id_rsa.pub

2. Connect to your server using SSH with password authentication:

   ssh user@server_ip_address

3. Create the .ssh directory if it doesn’t exist:

   mkdir -p ~/.ssh

4. Edit the authorized_keys file using a text editor (e.g., nano, vim):

   nano ~/.ssh/authorized_keys

5. Paste your public key into the authorized_keys file on a new line. Save and close the file.

3. Test SSH Key Authentication

1. Disconnect from the server if you’re still connected.
2. Reconnect to the server using SSH:

   ssh user@server_ip_address

3. If everything is set up correctly, you should be logged in without being prompted for a password (you might be asked for your passphrase if you set one).

4. Disable Password Authentication (Optional but Recommended)

Once you’ve confirmed SSH key authentication works, it’s a good security practice to disable password authentication.

1. Connect to your server using SSH with key authentication.
2. Edit the SSH configuration file:

   sudo nano /etc/ssh/sshd_config

3. Find the line PasswordAuthentication yes and change it to PasswordAuthentication no.
4. Find the line ChallengeResponseAuthentication yes and change it to ChallengeResponseAuthentication no.
5. Save and close the file.
6. Restart the SSH service:

   sudo systemctl restart sshd

Be very careful when disabling password authentication! Ensure key authentication is working before making this change, or you may lock yourself out of your server.

5. Security Considerations for cyber security

• Protect Your Private Key: Never share your private key with anyone. Store it securely and consider using a passphrase.
• Regularly Review Authorized Keys: Check the ~/.ssh/authorized_keys file on your server to ensure only authorized keys are present.
• Use Strong Key Lengths: 4096-bit RSA keys are generally recommended for good security.