Setup key based authentication in openssh on linux

SSH - Secure Shell

SSH provides terminal access to control a remote web server over a secure encrypted connection. It is similar to telnet except that the entire communication is encrypted so its more secure. To connect to a webserver using ssh there are 2 things needed. First is a ssh server running on the server and another is an ssh client. Openssh is a popular ssh server used on linux based webservers. Check out my previous post on how to install ssh server on ubuntu.

SSH by default uses username/password based authentication. While connecting to the ssh server the user is asked to enter a password.

$ ssh [email protected]_web_server
[email protected]_web_server's password:

However this is not the only way to authenticate to an ssh server. Authentication can also be done using keys. The key exists as a file on the local system and when connecting to the ssh server the key is send automatically and no password is asked for.

The key actually has 2 parts which exist as a pair. The first is the public key and second is the private key. The combination is unique. No 2 pairs can have the same public or private keys. The key pair is first generated on local machine using a command like ssh-keygen. Then the public key is stored on the server in a list of "authorized users".

Now whenever we connect to server using our private key the server is able to detect if a corresponding public key exists in the list of authorized users or not. If yes then authentication is complete. Read about public key cryptography if you want to know more about how it works.

Generate keys

Assuming that you already have openssh installed and setup and that you are able to login using keys, its time to move on to setup key based authentication. The first thing to do is to generate our key pair. On ubuntu we can use the ssh-keygen command

# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/john/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/john/.ssh/id_rsa.
Your public key has been saved in /home/john/.ssh/id_rsa.pub.
The key fingerprint is:
86:0c:a6:8d:c1:35:91:ab:b2:09:b8:b0:55:2f:58:2c [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|    +o           |
| . ...           |
|  o.o.           |
|  E*=o .         |
|. o*..o S        |
|= + . ..         |
|oB   .           |
|=                |
|                 |
+-----------------+






There are mainly 2 types of keys, RSA and DSA. Each has a different algorithm to generate and match the keys. Read up the wikipedia articles to learn about them. In this example we use RSA.

Note that on ubuntu the keys are by default created in the .ssh directory inside the home directory. You can specify any directory. The key pair consists of 2 files, first is id_rsa (this is the private key) and the other is id_rsa.pub (this is the public key).

Install the public key on server

Now 1 part of the pair, that is the public key needs to be given to the server so that it can identify us when we present the private key. This is done by copying the contents of the public key files in the following file on the remote server

~/.ssh/authorized_keys

The public key may as well be copied into the authorized_keys2 file. It works the same way.

To copy the public key into the file, the easiest way is to use the ssh-copy-id command which will take the public key and copy it to the remote server in the path mentioned above.

$ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]_web_server
The authenticity of host 'remote_web_server (69.101.52.13)' can't be established.
RSA key fingerprint is 26:50:b5:51:3d:06:a8:10:52:f8:8a:60:23:a7:31:a8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'remote_web_server' (RSA) to the list of known hosts.
[email protected]_web_server's password: 
stdin: is not a tty
Now try logging into the machine, with "ssh [email protected]_web_server'", and check in:

  ~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.
$

Now try to login to the remote server again from your local terminal.

$ ssh [email protected]_web_server

It should login without asking for a password. Note that if you create the keys in a location different from ~/.ssh then you need to specify the path to the private key file using the "-i" option.

$ ssh -i /path/to/id_rsa [email protected]_web_server

If you do not have the ssh-copy-id command then copy the public key file manually.
First copy the id_rsa.pub key file onto the server using scp command.

$ scp id_dsa.pub [email protected]:./id_dsa.pub

The file would get copied to the home directory. Now login to the server through ssh password. Then copy the contents of the id_rsa.pub file to .ssh/authorized_keys file.

$ cd .ssh
$ touch authorized_keys
$ chmod 600 authorized_keys
$ cat ../id_dsa.pub >> authorized_keys
$ rm ../id_dsa.pub

Thats all. Now the public key is installed on the server. Trying logging in from the terminal.

$ ssh [email protected]
Welcome to Ubuntu 12.10 (GNU/Linux 3.5.0-32-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

0 packages can be updated.
0 updates are security updates.

New release '13.04' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Fri May 31 09:27:59 2013 from localhost

Disable password based login

Now that key based authentication is setup, you might want to disable password based logins. This can be done by configuring the ssh server (daemon). The openssh server configuration file is

/etc/ssh/sshd_config

Open the file and look for the "PasswordAuthentication" setting and set it to no.

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

Save and restart the openssh server. Now the ssh server will only allow key based authentication

$ sudo service ssh restart
[sudo] password for enlightened: 
ssh stop/waiting
ssh start/running, process 10890

Also ensure that the following 2 options are set to yes for the the key based login to work

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

Login with putty

In the above exmaples we used the openssh ssh client that is available on linux. Putty is another useful ssh client that is available for both linux and windows and supports key based authentication.

However putty cannot use the private key generated by the ssh-keygen command directly. It uses its own format. So first the private key (on your local machine) has to be converted to putty format. This is done using the puttygen command. It converts the key file from openssh format to putty format.

$ puttygen ~/.ssh/id_rsa -o ~/.ssh/putty_id_rsa

The above command will convert the private key to putty format which can be used with putty to connect to the server. Launch putty and go to Connection > SSH > Auth tab on the left and select the key file in the box labelled "Private key for authentication".

Last Updated On : 4th November 2013

Subscribe to get updates delivered to your inbox

1 Comment + Add Comment

  • Awesome! That was very helpful.
    Thanks.

Leave a comment