Configuring Key-Based Authentication for SSH: A Comprehensive Guide | Linux (2) #LinuxAdmin
This content focuses on SSH key-based authentication, specifically explaining how to generate SSH keys using ssh-keygen, and how to copy the keys to a remote server using ssh-copy-id to enable passwordless login. Let's break down each part and present it as a blog post suitable for an audience wanting to learn how to securely configure SSH authentication.
How to Configure SSH Key-Based Authentication for Secure Remote Logins
Secure Shell (SSH) is a widely used protocol for secure remote login, file transfer, and command execution across networks, especially when security is a concern. Traditionally, SSH connections require users to enter a password to authenticate themselves to a remote system. However, a more secure and convenient method is key-based authentication, which uses cryptographic key pairs to authenticate users without the need for passwords.
In this blog post, we will cover the following topics:
Understanding SSH key-based authentication.
Generating SSH key pairs with the
ssh-keygencommand.Copying the SSH public key to a remote server with
ssh-copy-id.Testing the SSH connection using key-based authentication.
What is SSH Key-Based Authentication?
In SSH key-based authentication, a pair of cryptographic keys—a public key and a private key—is generated. The public key is placed on the remote server, while the private key is securely stored on your local machine. When you try to log in to the server, your SSH client uses the private key to prove your identity without requiring a password. This setup is more secure than password-based authentication because private keys are never shared across the network, and the risk of brute-force attacks is minimized.
Why Use SSH Key-Based Authentication?
SSH key-based authentication offers several advantages over traditional password authentication:
Stronger Security: SSH keys are more difficult to crack than passwords.
Convenience: Once configured, you can log in without entering a password every time.
Automation: Key-based authentication is essential for automated tasks, such as running scripts or deploying applications without human intervention.
Generating SSH Keys Using ssh-keygen
To configure SSH key-based authentication, you first need to generate a key pair. The ssh-keygen command is the main tool used for generating and managing SSH keys in Linux and other Unix-like operating systems.
Step 1: Generate an SSH Key Pair
Run the following command to generate a new SSH key pair of type RSA with a key bit size of 4096 bits:
ssh-keygen -t rsa -b 4096
Explanation of the command:
-t rsa: Specifies the type of key to generate. RSA is a commonly used key type for SSH.-b 4096: Defines the number of bits in the key. A higher bit size (4096 bits) provides stronger encryption.
After running the command, you will see prompts to specify the filename and passphrase for the private key:
Enter file in which to save the key (/home/youruser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Press Enter to accept the default location for storing the keys (
~/.ssh/id_rsa).Optionally, enter a passphrase for additional security. If you leave it blank, no passphrase will be set, allowing for easier access.
Once the process is complete, you will have two files in your ~/.ssh/ directory:
id_rsa: Your private key (keep this file secure and never share it).id_rsa.pub: Your public key (this can be shared with remote servers).
Copying the SSH Public Key to a Remote Server
Once your key pair is generated, the next step is to install the public key on the remote server where you want to authenticate.
Step 2: Copy the Public Key to the Remote Server
To copy your public key to a remote server, you can use the ssh-copy-id command. This command transfers the public key to the remote server and automatically configures the server to allow key-based authentication for your user.
Run the following command, replacing <user> with your remote server username and <server_IP> with the server’s IP address:
ssh-copy-id <user>@<server_IP>
You will be prompted to enter the password for the remote user. Once entered, the public key will be copied and installed on the server. Here’s what the output will look like:
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
<user>@<server_IP>'s password:
Number of key(s) added: 1
The command also checks if your key is already installed, and if not, it adds the new key. The public key will be added to the server’s ~/.ssh/authorized_keys file for the specified user.
Testing the SSH Key-Based Authentication
After copying the public key to the remote server, you can now test the key-based authentication by logging in via SSH. Run the following command to connect to the remote server:
ssh <user>@<server_IP>
If everything is configured correctly, you should be logged in without being prompted for a password, as the server will use your private key to verify your identity. You should see something like this:
Welcome to Ubuntu 24.04 LTS
<user>@<server_IP>:~$
Exiting the SSH Session
To exit the remote session, simply type exit:
exit
Conclusion
SSH key-based authentication is a powerful and secure method for accessing remote systems. By generating an SSH key pair with ssh-keygen and copying the public key to a remote server using ssh-copy-id, you can enable passwordless login and enhance the security of your connections. Whether you’re managing multiple servers or automating tasks, this setup will simplify your workflow while keeping your systems secure.
This blog post covers the essentials of SSH key-based authentication, walking readers through generating keys, copying them to a remote server, and testing the connection.
