Introduction
SSH, or secure shell, is an encrypted protocol used to administer and communicate with servers.
Step 1 : Creating a Key Pair
ssh-keygen
By default recent versions of ssh-keygen
will create a 3072-bit RSA key pair.
Optionally pass in the -b 4096
flag to create a larger 4096-bit key pair.
If first time the output is like this
Output
Generating public/private rsa key pair.
Enter file in which to save the key (/your_home/.ssh/id_rsa):
If you had previously generated an SSH key pair then output is like this
Output
/home/your_home/.ssh/id_rsa already exists.
Overwrite (y/n)?
Output
Enter passphrase (empty for no passphrase):
Output
Your identification has been saved in /your_home/.ssh/id_rsa
Your public key has been saved in /your_home/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:/hk7MJ5n5aiqdfTVUZr+2Qt+qCiS7BIm5Iv0dxrc3ks user@host
The key's randomart image is:
+---[RSA 3072]----+
| .|
| + |
| + |
| . o . |
|o S . o |
| + o. .oo. .. .o|
|o = oooooEo+ ...o|
|.. o *o+=.*+o....|
| =+=ooB=o.... |
+----[SHA256]-----+
Now we have a public and private key that you can use to authenticate.
Now place the public key on your server so that you can use SSH-key-based authentication to log in.
Step 2 — Copying the Public Key to Your Machine
ssh-copy-id username@remote_host
For the first time you connect to a new host. Type “yes” and press ENTER
to continue.
Output
The authenticity of host '172.20.1.1 (172.20.1.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
Output
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'username@172.20.1.1'"
and check to make sure that only the key(s) you wanted were added.
Your id_rsa.pub
key has been uploaded to the remote account.
You can continue on to Step 5.
Step 3 Copying the Public Key Using SSH
If you do not have ssh-copy-id
available, but you have password-based SSH access to an account on your server, you can upload your keys using a conventional SSH method.
sudo cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"
Output
The authenticity of host '172.20.1.1 (172.20.1.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
Output
username@172.20.1.1's password:
Step 4 Copying the public key Manually
cat ~/.ssh/id_rsa.pub
Output
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== demo@test
Once you have access to your account on the remote server, you should make sure the ~/.ssh
directory exists. If ssh directory is not there , then create one or skip this step:
mkdir -p ~/.ssh
Now, you can create or modify the authorized_keys
file within this directory.
echo public_key_string >> ~/.ssh/authorized_keys
Finally set the permission right
sudo chmod -R go= ~/.ssh
sudo chown -R core:core ~/.ssh
In this tutorial our user is named core but you should substitute the appropriate username into the above command.
Step 5 — Authenticating Ubuntu Machine Using SSH Keys
ssh username@remote_host
Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
If you did not supply a passphrase for your private key, you will be logged in immediately.
If you supplied a passphrase for the private key when you created the key then after authenticating, a new shell session should open for you with the configured account on the Ubuntu server.
Step 6 — Disabling Password Authentication on Your Server
sudo nano /etc/ssh/sshd_config
Inside the file, search for a directive called PasswordAuthentication
.Remove the #
, and set the value to no
. This will disable your ability to log in via SSH using account passwords
/etc/ssh/sshd_config
. . .
PasswordAuthentication no
. . .
sudo systemctl restart ssh
Now The SSH daemon on your Ubuntu server now only responds to SSH-key-based authentication. Password-based logins have been disabled.
Finale
Now we have SSH-key-based authentication configured on your server, allowing you to sign in without providing an account password.