To manage a Linux server remotely, the SSH protocol is used. This connects you to the terminal of your linux server. Most of the time your VPS or Dedicated server will come with a password login. Although the SSH protocol is considered secured as the traffic is always encrypted, it is still vulnerable to brute force attacks. To prevent this you can either use services like Fail2Ban or you can use Key Based Authentication.

Key based authentication works with a pair of public and private keys. The public key is stored in ~/.ssh/authorized_keys on the server and private key is possessed by the user. For authentication purposes, the server encrypts a random phrase with the public key available on server. The encrypted cipher is then sent to user’s computer. The user’s SSH agent decrypts the message using the private key and sends the phrase back to the server. The server then checks if the description was successful or not. If yes then the user is given access to the terminal. This method of authentication is considered very secure as the private key is not shared on network making it very secure hence it is virtually impossible to brute force SSH server. The private key should not be shared anywhere as a person having the private key will have full access to the server.

In this tutorial we will learn how to enable key based authentication on a Linux server. With the help of this guide you will be able to enable key based authentication on multiple Linux flavors as the process is same for all major Linux operating systems. It is important to generate the key pair on the client machine. We will learn to generate key pair on both windows and linux operating systems. We will copy the public key to the remote linux server and will make all the necessary SSH configurations. Finally we will learn how to login to the remote server using the private key.

Requirements

To follow this tutorial you will need a client machine which should have a Windows or Linux operating system. You will also need a remote Linux server with root or sudo access on it. The server must also have password authentication enabled. If you are logged in as a non root user, you may run sudo -i to switch to root user or you may use sudo command before all the commands.

Generating Key Pairs in Linux

If you are on a Linux client machine you will need to install openssh-client onto your machine. Run the following command to install OpenSSH Client. You can also use non root account on client machine to run the commands.

For CentOS/RHEL and Fedora

    sudo yum -y install openssh

For Ubuntu/Debian

    sudo apt-get -y install openssh-client

Once OpenSSH client is installed, you can generate the key pairs using the following command.

    ssh-keygen

You will be prompted to enter a passphrase to protect your private key. It is recommended that you should enter a passphrase, so that even any person has your private key, he won’t be able to login without passphrase. You can also leave it blank so that there will be no passphrase for your private key. You will see output similar to shown below.

    [centos@ip-172-31-23-73 ~]$ ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/centos/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/centos/.ssh/id_rsa.
    Your public key has been saved in /home/centos/.ssh/id_rsa.pub.
    The key fingerprint is:
    a6:d6:61:a6:83:0a:ba:8a:ed:bd:6a:d7:4f:cc:ae:75 centos@ip-172-31-23-73
    The key's randomart image is:
    +--[ RSA 2048]----+
    |                 |
    |                 |
    |                 |
    |                 |
    |        S        |
    |     . X .       |
    |.   ..= * E      |
    |oo.o...= .       |
    |*+=oo..oo        |
    +-----------------+

The above command will generate the key pair and it will save them into .ssh directory under the home directory of the current user. The private key will be saved in id_rsa file and public key will be saved in id_rsa.pub file. Now you will need to copy the generated public key ~/.ssh/id_rsa.pub to the remote Linux server as ~/.ssh/authorised_keys.

Copying the Public Key to Remote Server

There are few methods by which you can copy the public key into the ~/.ssh/authorised_keys file of remote server.

Using ssh-copy-id command

This is the easiest method to copy the public key into remote server. Due to it’s simplicity, this method is recommended if available. ssh-copy-id comes with OpenSSH package in most distributions. You can use the command as shown below.

    ssh-copy-id root@server-IP-addr

In above command replace root with your username, it may be root also. Replace server-IP-addr with the IP address or hostname of your server.

Once you run the above command it will show you that authenticity of host is not verified, it will ask you if you want to continue. Write yes and press Enter key to continue. Now it will ask you for the password of remote server, enter the password. Now the ssh-copy-id will automatically scan id_rsa.pub file and it will add the public key to remote server. You will see output similar as shown below.

    [centos@ip-172-31-23-73 ~]$ ssh-copy-id root@83.136.253.213
    The authenticity of host '83.136.253.213 (83.136.253.213)' can't be established.
    ECDSA key fingerprint is 20:99:0b:b8:65:28:98:db:66:ed:11:1f:14:dd:d1:94.
    Are you sure you want to continue connecting (yes/no)? yes
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
    root@83.136.253.213's password:

    Number of key(s) added: 1

    Now try logging into the machine, with:   "ssh 'root@83.136.253.213'"
    and check to make sure that only the key(s) you wanted were added.

Copying Your Public Key Using SSH

If you do not have ssh-copy-id command available, you can also use the normal SSH command to copy the public key into ~/.ssh/authorised_keys file. Run the following command for same.

    cat ~/.ssh/id_rsa.pub | ssh root@server-IP-address "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

The above command uses piping, the output of first command is sent as an input to second command. The first command outputs the content of ~/.ssh/id_rsa.pub, then it will SSH into your server with the username provided. Once logged in it will create ~/.ssh directory, if not already exist. Finally it will write the output of the first command, which is the content of the public key file into ~/.ssh/authorized_keys file.

You will see following output a similar output as shown below.

    [centos@ip-172-31-23-73 ~]$ cat ~/.ssh/id_rsa.pub | ssh root@83.136.253.213 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
    The authenticity of host '83.136.253.213 (83.136.253.213)' can't be established.
    ECDSA key fingerprint is 20:99:0b:b8:65:28:98:db:66:ed:11:1f:14:dd:d1:94.
    Are you sure you want to continue connecting (yes/no)? yes
    root@83.136.253.213's password:

Manually Copying the Public Key

If none of the above methods work for you, you can also manually copy the public key into ~/.ssh/authorized_keys. You will need to simply copy the file contents from ~/.ssh/id_rsa.pub file of client machine to ~/.ssh/authorized_keys file of remote machine.

Dispay the contents of the file id_rsa.pub using the following command.

    [centos@ip-172-31-23-73 ~]$ cat ~/.ssh/id_rsa.pub
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ5eMCCbtfxlR18Uwb4GANpl6i6cpJMQUM2FOu9NFiWFxjTnR32BCwMATfcH/DTfT4uOtDFoBIBb0ZHBaLtH6PAC2nS0ccjl9mhIVUyOchA3EgL1NJEJ1HH9UheIvNbqk6sDv7oRo965T39chaOloP8FFiqf2U3lHCKrmCnkHCWWkXvOn9yEc4ya+2f/pI+xCgUss9OLLJNhWD4RxiBeozJlaUXBg52aZ9FLBo+RUC1AyvjbO5YuYDnyVHVOvSTo4yzCzYfH0UiWW21QmZWSZoe+Hc1a0rAnQMCj/w+SQR4W/jwD5QQ2E78XhUOsVwH6kYzndn1DwZMXB80DHN3l1V centos@ip-172-31-23-73

Now login to your remote Linux machine and create ~/.ssh directory using the following command. If the directory is already created it will not make any changes.

    mkdir -p ~/.ssh

Now use your favorite editor to create or edit ~/.ssh/authorized_keys file. In this tutorial we will be using nano editor. If you don’t have nano installed, you can install it using sudo yum -y install nano command for CentOS/RHEL/Fedora. Run sudo apt-get install nano for Ubuntu/Debian based systems.

To edit or create the ~/.ssh/authorized_keys file using nano editor run the following command.

    nano ~/.ssh/authorized_keys

Once the editor is opened, paste the public key into the file and save and close it.

Apart from the methods stated above you can also use SCP to transfer the public key into the remote server.

Configuring SSH to use Key Based Authentication

Login to your remote Linux server using password or key. You can simply run the following command to login to the remote SSH server.

    ssh root@server-IP-address

You will see that you are automatically logged in to the server, if you have passphrase with your id_rsa file or the private key, then you will need to provide the passphrase also. The SSH client will automatically use the key based mechanism to login and as our key has the default name and location, hence it will automatically log you in using the private key.

It is a best practice to update the linux server before making any changes. To update CentOS/Fedora/RHEL run yum -y update, for Debian/Ubuntu run apt-get -y upgrade.

But still you will be able to login to your server using the passwords. To disable password based authentication you will need to edit the default SSH configuration file /etc/ssh/sshd_config. Run the following command to edit the file using nano editor. You can any editor you prefer.

    sudo nano /etc/ssh/sshd_config

Scroll down the find the following lines.

    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    PasswordAuthentication yes

Now change the parameter of PasswordAuthentication from yes to no. Now save the file and exit from editor.

You will need to restart SSH server for changes to take place. Run the following command for the same.

For CentOS/RHEL/Fedora

    systemctl restart sshd

For Debian or Ubuntu

    service ssh restart

Now your server can also be logged in using the private key id_rsa only.

It is recommended that you change the permission of the ~/.ssh directory on client computer so that no body else have access to the private key. Run the following command to change the permissions of the ~/.ssh directory.

    chmod -R 600 ~/.ssh

As ~/.ssh/id_rsa file can be overwritten anytime when we generate another key pair, it is recommended to take a backup of the private key. You can do the same using the following command.

    cp ~/.ssh/id_rsa ~/.ssh/login_key

In above command you can change the directory and file name according to your choice.

You can login to your SSH server using the new key with the following command.

     ssh -i ~/.ssh/login_key root@server-IP-address

In the above command you can replace the path of the login key according to path and filename you chose.

Using a Windows Client Machine

If you are a windows user and want to enable Key based authentication, you can follow this guide. Most of the windows user use PuTTY client to login to remote server. PuTTY supports both password and key based authentication.

Generating a Key Pair in Windows Client

To generate a key pair in windows client, you have many different options. In this tutorial we will be using an open source GUI based RSA and DSA key generator, puttygen. You can download PuTTYgen from here.

Once you open PuTTYgen, you will see the following interface.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/527379856.png” alt=”” />

Click on Generate button to start generating a new key pair. After clicking Generate button, you will need to move your mouse cursor over the blank area to generate some randomness in the key.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/243663888.png” alt=”” />

After a key is generated, you will see following interface, it will display the public key on screen. To save the public key in a file click on Save public key button. Provide a filename for the public key and save it. An extension for the public key file is not necessary but you can choose to give .txt extension.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/1574328449.png” alt=”” />

To save the private key click on Save private key button. You can specify a passphrase for private key on Key passphrase field. If you choose not to provide a passphrase, then it will warn you while saying that are you sure to save the key without a passphrase, choose yes to proceed further. Now provide a filename for your private key and save it with .ppk extension as PuTTY uses .ppk extension with private key. Once both the keys are saved, you can exit PuTTYgen.

Copying the Public Key to Remote Server

To copy the public key into the remote server, you can simply manually copy the key to remote server or, you can also use WinSCP to transfer the public key to remote server.

Using WinSCP to Copy the Public Key

WinSCP is an open source secure file transfer client for windows which supports SFTP, SCP and FTP. You can download WinSCP from here, it comes in both installer and portable package.

Once you download WinSCP, open it and you will see a prompt to provide hostname and login credentials. As SCP and SFTP both runs on port 22, you can choose either of the protocol. Provide the hostname and username and password of the remote server and click Login button.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/734496949.png” alt=”” />

Once you are successfully logged in you will be taken to the home directory of the user, if you are logged in as root, then you will be taken to /root.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/773396284.png” alt=”” />

Now create a new directory in the same directory by clicking the small new directory icon available on the control bar.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/503648353.png” alt=”” />

Provide the name .ssh and save it. If you already have .ssh folder, no need to create it again. Double click on .ssh directory to switch into it and, drag and drop the private key file into the .ssh directory. Finally rename the file to authorized_keys.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/199567586.png” alt=”” />

Manually Copying the Public Key

Simply open the public key file in notepad and copy the whole content. Now login to your remote Linux machine via PuTTY using the username and password. It is a best practice to update the linux server before making any changes. To update CentOS/Fedora/RHEL run yum -y update, for Debian/Ubuntu run apt-get -y upgrade.

Now create ~/.ssh directory using the following command. If the directory is already created it will not make any changes.

    mkdir -p ~/.ssh

Now use your favorite editor to create or edit ~/.ssh/authorized_keys file. To edit or create the ~/.ssh/authorized_keys file using nano editor run the following command.

    nano ~/.ssh/authorized_keys

Once the editor is opened, paste the public key into the file by a single right click and save and close it.

Now as we have our public key into the place we can now configure SSH to disable password authentication.

Configuring SSH to Use Key Based Authentication

Login to your remote Linux server using password through PuTTY. Once you are logged in you can disable password based authentication by editing the default SSH configuration file /etc/ssh/sshd_config. Run the following command to edit the file using nano editor. You can any editor you prefer.

    sudo nano /etc/ssh/sshd_config

Scroll down the find the following lines.

    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    PasswordAuthentication yes

Now change the parameter of PasswordAuthentication from yes to no. Now save the file and exit from editor.

You will need to restart SSH server for changes to take place. Run the following command for the same.

For CentOS/RHEL/Fedora

    sudo systemctl restart sshd

For Debian or Ubuntu

    sudo service ssh restart

You can also verify the the public key is copied to server using the following command.

    cat ~/.ssh/authorized_keys

It should display you the public key that you have copied. You can now exit from PuTTY.

Logging into Remote Server using Private Key

To login using the Private key through putty, open PuTTY client and provide the hostname or server IP address. Select SSH for connection type.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/289707368.png” alt=”” />

Now Go to Connection >> SSH >> Auth from left pane and, in Private key for authentication, browse the private key which we have saved.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/1745449660.png” alt=”” />

Click Open and it will automatically start the terminal and log you in.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/1626766641.png” alt=”” />

Conclusion

In this detailed tutorial we have learnt about the key based authentication. We learnt to enable key based authentication on multiple Linux platforms. We have learnt to configure SSH for key based authentication for both Linux and Windows users. You can now implement key based authentication for hardening the security of your server.