Use key-based authentication with SSH

Back in November, I took a quick look at how to set up secure remote login with SSH.

It's really simple to login with your username/password combination on the remote machine, but sometimes it can be a better idea to use key-based authentication.

Key-based authentication is where instead of authenticating that you are you with the remote machine credentials, you use a cryptographic key pair. I won't go into all the gory details, but it's all done with industry-standard public/private key authentication.

This tutorial assumes you're using a Unix-like operating system on both the local and remote machines which both run OpenSSH. First, on your local machine, fire up a terminal and enter the following:

$ ssh-keygen -t rsa

Accept the default for the location by pressing Enter. Now you'll be asked for a passphrase. This provides extra protection - even if someone gets hold of your private key, they won't be able to login without the passphrase. Likewise, if someone somehow gets your passphrase, it's useless without the private key. It's kind of a dual-lock system.

You can leave it blank, which will mean you won't have to enter anything to log in over SSH, but you will lose the extra protection. It's up to you. I personally choose to leave it on and think of a good, strong password.

Once you've entered and confirmed that, you'll get a message about your key fingerprint.

The final step is to add your public key to the list of allowed keys to login on the remote machine.

Login with your username/password as normal. In your home folder, open up the file authorized_keys in the .ssh folder (yep, that's a hidden folder). If the folder or file don't exist, just create them.

Paste the contents of the file ~/.ssh/id_rsa.pub on your local machine onto the end of the authorized_keys file on the remote machine and save that file.

Log out and log back in to your remote server. You should be asked for your passphrase if you set one (instead of the password for the remote account). If not, you should dive straight in.

Easy!

Avatar for peter Peter Upfold - http://peter.upfold.org.uk/

Peter Upfold is a technology enthusiast from the UK. Peter’s interest in Linux stems back to 2003, when curiosity got the better of him and he began using SUSE 9.0. Now he runs Linux Mint 9 on the desktop, runs a CentOS-based web server from home for his personal website and dabbles in all sorts of technology things across the Windows, Mac and open source worlds.

Home » Articles »

Discussion: Use key-based authentication with SSH

  1. # Posted on 06 August 2007 at 08:47 PM

    [...] you read Peter’s tutorial a while back on how to create an SSH key, you probably found it a little annoying that you had to sign in and out of your server multiple [...]



  2. # Posted on 05 January 2008 at 05:07 PM

    [...] Logging in with a password is all well and good, but you can get better security by using a private and public key pair. I’ve covered how to generate your key in a previous tutorial, so read up on that here. [...]



  3. Ken (guest)

    # Posted on 02 June 2010 at 11:07 AM

    After setting this up, I switched users to see if I could log into my remote host and I was able to do it with just the password. Did I do something wrong?



  4. # Posted on 02 June 2010 at 11:10 AM

    Ken,

    You're not doing anything wrong. The setting to enable key-based logins is separate from the setting to disable logins with your password. (If you enable the former but not the latter, you can always login with either if necessary).

    If you want to switch to key-only logins and prevent password access attempts, take a look at item 3 of Bullet proof your server: SSH.

    Bearing in mind that if you do disable password logins, then lose access to your private key, you're potentially in a difficult situation!



Home » Articles » Use key-based authentication with SSH