How to configure key-based authentication for SSH (2024)

Table of Contents
The key pair Create the key pair Share the public key Wrap up FAQs

Posted: May 3, 2022 | | by Evans Amoany (Sudoer)

Remote connections to a server via Secure Shell (SSH) can be authenticated in two ways. The traditional and default method is to use password authentication. The second approach is key-based authentication, which is based on a private-public key pair.

Key-based authentication provides two primary benefits:

  • Helps mitigate brute-force password attacks against SSH
  • Prevents administrators from being required to manually type passwords in automated processes such as scripts or Ansible

Passwordless key-based authentication is often the assumed configuration on modern Linux systems.

See Also
public key infrastructure (PKI) - GlossaryWhat is PKI (public key infrastructure)Secure Email Certificates with DigiCert Trust Lifecycle ManagerBeyond SSH Keys: Authentication using SSH Certificates

The key pair

For key-based authentication, a matched pair of cryptographic key files is generated. The pair consists of a private key and a public key that uniquely identify the user. The private key usually has a permission of 600 and is kept on the local server. The public key is copied to the remote system where the user intends to log in. This public key is stored in the ~/.ssh/authorized_keys or ~/.ssh/authorized_keys2 file of the authenticating user. For example, if you log into a remote server with the user sadmin, the public key is added to the /home/sadmin/.ssh/authorized_keys file.

Create the key pair

The ssh-keygen command generates the private and public key pair. By default, the command saves these keys to the user's ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub files. The id_rsa is the private key, and id_rsa.pub is the public key. The OpenSSH suite also contains an ssh-copy-id command, which you can use to distribute the public keys to other systems.

To generate the keys, enter the following command:

[server]$ sudo ssh-keygen

Note: Press Enter for all questions because this is an interactive command.

By default, all files are stored in the /home/sysadmin/.ssh/ directory. You can enter a new file name when running the ssh-keygen command. The command also offers the option to add a passphrase to unlock the key file.

[ Get this free download: Advanced Linux commands cheat sheet. ]

Share the public key

To share the public key with other systems the sadmin user will access, use:

See Also
Public Key Authentication Overview - Reflection for Secure IT for UNIX

[server]$ sudo ssh-copy-id remoteuser@remoteserver

Enter the user's password. The public key is shared with the remote server, and the user can log in without a password. There is also the ssh-agent command, which you can use to store private keys used for public key authentication. This is normally useful when a passphrase protects keys.

To add a private key stored in /home/sadmin/sshkeys/id_rsa to ssh-agent, use these commands:

[server]$ sudo eval $(ssh-agent)[server]$ sudo ssh-add

Skip to the bottom of list

Enter the passphrase, which is then stored in memory until the agent is stopped. In this case, you don't need to enter a passphrase when using SSH to access a remote server.

Wrap up

Passwordless connection is very useful, especially in automated transfers and scripting. It's a fairly standard configuration on many Linux systems because it reduces the burden on manual SSH authentication and allows for more simplified automation solutions.

How to configure key-based authentication for SSH (2024)

FAQs

How to configure key-based authentication for SSH? ›

To specify which private key should be used for connections to a particular remote host, use a text editor to create a ~/.ssh/config that includes the Host and IdentityFile keywords. Once you save the file, SSH will use the specified private key for future connections to that host.

Find Out More
How do I enable key-based SSH authentication? ›

To configure the SSH server to support key-based authentication, follow these steps:
  1. Log in to the server console as the bitnami user.
  2. Create a key pair, consisting of a public and private key, as shown below. ...
  3. Copy the private key file named id_rsa to a secure location.
Feb 6, 2023

Read More
How to set up RSA keys for SSH? ›

The main points are:
  1. Run ssh-keygen on your machine. This will generate public and private keys for you.
  2. Copy and paste the contents of your public key (likely in ~/. ssh/id_rsa. pub ) in to ~/. ssh/authorized_keys on the remote machine.
May 1, 2009

See More
How to setup a key pair in SSH? ›

Generate an SSH Key Pair
  1. Run the ssh-keygen command. You can use the -t option to specify the type of key to create. ...
  2. The command prompts you to enter the path to the file in which you want to save the key. ...
  3. The command prompts you to enter a passphrase. ...
  4. When prompted, enter the passphrase again to confirm it.

View More
How do I specify a key for SSH? ›

To specify which private key should be used for connections to a particular remote host, use a text editor to create a ~/.ssh/config that includes the Host and IdentityFile keywords. Once you save the file, SSH will use the specified private key for future connections to that host.

Show Me More
What is SSH key-based authentication? ›

What is an SSH key? updated on: 01.22.2024. An SSH key is a secure access credential used in the Secure Shell (SSH) protocol. SSH key pairs use public key infrastructure (PKI) technology, the gold standard for digital identity authentication and encryption, to provide a secure and scalable method of authentication.

Continue Reading
How to generate and configure SSH certificate based authentication? ›

Generating and Configuring SSH Certificate-Based Authentication (Step-by-Step Guide)
  1. Prerequisites.
  2. Step 1: Generate SSH Key Pair.
  3. Step 2: Copy the Public Key to the Server.
  4. Step 3: Verify SSH Key Authentication.
  5. Introduction to SSH Certificates.
  6. Generating a Certificate from the Public Key.
Mar 8, 2024

Find Out More
How to enable SSH on RSA server? ›

To log on to the appliance operating system using Secure Shell (SSH), you must enable SSH. In the Operations Console, click Administration > Operating System Access. In the SSH Settings section, select the checkbox for each NIC on which you want to enable SSH.

Show Me More
Which is better RSA or Ed25519? ›

Compared to traditional RSA keys, Ed25519 key generation is significantly faster. This advantage is especially valuable when dealing with systems that require frequent key generation, such as in large-scale infrastructure setups or automated processes.

Get More Info
Do SSH keys start with SSH RSA? ›

An SSH2 public key in OpenSSH format will start with "ssh-rsa". The idea behind all of this is that once you have keys on the remote server and your local host, access will be simpler since the server will only grant access to someone who has the matching private key.

Tell Me More

Where do I find my SSH key? ›

Checking for existing SSH keys
  1. Open TerminalTerminalGit Bash.
  2. Enter ls -al ~/.ssh to see if existing SSH keys are present. ...
  3. Check the directory listing to see if you already have a public SSH key. ...
  4. Either generate a new SSH key or upload an existing key.

Learn More Now
Where do I get my SSH key? ›

Command Prompt (for Windows 10 only)
  1. Open Command Prompt or Windows PowerShell.
  2. Issue the command: ssh-keygen.
  3. To view public key, navigate to C:\Users\<username>/.ssh/id_rsa.pub (see image below) or execute this command in the command prompt: more C:\Users\<username>/.ssh/id_rsa.pub.
Sep 13, 2022

Learn More Now
Where do I put my SSH public key? ›

The key pair

The public key is copied to the remote system where the user intends to log in. This public key is stored in the ~/. ssh/authorized_keys or ~/. ssh/authorized_keys2 file of the authenticating user.

Get More Info
How do I enable two factor authentication for ssh? ›

To do this, follow these steps:
  1. Log in to your server using SSH.
  2. As the root user, open the /etc/pam. d/sshd file in your preferred text editor. ...
  3. Open the /etc/ssh/sshd_config file in your preferred text editor. Locate the following line: ChallengeResponseAuthentication yes. ...
  4. Restart the SSH service:

Find Out More
What are the permissions for SSH key authentication? ›

ssh directory permissions should be 700 (drwx------). The public key (. pub file) should be 644 (-rw-r--r--). The private key (id_rsa) on the client host, and the authorized_keys file on the server, should be 600 (-rw-------).

Find Out More
Top Articles
The Rarities of Magic: All About Cards from Common to Mythic - Draftsim
Building Wealth Through Homeownership
WVU Medicine hiring Office Supervisor in Uniontown, Pennsylvania, United States | LinkedIn
WVU Medicine hiring Office Manager in Princeton, West Virginia, United States | LinkedIn
Craigslist Oregon Coast Pets
Free Christian Movies Where To Watch Online
Election latest: Party leaders vote as the UK goes to the polls; dogs spotted at polling stations
Choosing Sky Bri Is Simple – Del Mar
What Time Do Minute Clinics Close
Craigslist For Cars Los Angeles
Bfri Forum
Breckie Hill Skateboard Leak: Unveiling the Truth
Latest Posts
Building Wealth: A 5-Step Guide - NerdWallet
Unsubsidized Loan vs Subsidized Loan: What's the Difference?
Article information

Author: Madonna Wisozk

Last Updated:

Views: 5727

Rating: 4.8 / 5 (48 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Madonna Wisozk

Birthday: 2001-02-23

Address: 656 Gerhold Summit, Sidneyberg, FL 78179-2512

Phone: +6742282696652

Job: Customer Banking Liaison

Hobby: Flower arranging, Yo-yoing, Tai chi, Rowing, Macrame, Urban exploration, Knife making

Introduction: My name is Madonna Wisozk, I am a attractive, healthy, thoughtful, faithful, open, vivacious, zany person who loves writing and wants to share my knowledge and understanding with you.