Public key authentication is a fundamental aspect of secure and efficient communication in the realm of server administration. In today's interconnected world, where safeguarding sensitive data is paramount, OpenSSH stands out as a reliable and widely-used tool for secure remote access. In this blog article, we will delve into the intricacies of working with public key authentication in OpenSSH. We will explore the step-by-step process of preparing a server, generating an SSH key pair, adding a public key to a user account, establishing a secure connection using SSH keys, configuring hosts for seamless access, disabling password authentication for enhanced security, and even revoking access when necessary. Whether you're a seasoned system administrator or just starting your journey in server management, this guide will equip you with the knowledge and practical skills to leverage the power of public key authentication with confidence. Let's dive in and unlock the secrets of OpenSSH's public key authentication!
OpenSSH server is running on your server
OpenSSH client is installed on your workstation
Prepare the Server
The steps in this section need to be done once per local user account on the server.
Log in to the server user account you want to use.
Create a directory called
.ssh in the home directory.
Set the directory's permissions so only you, the owner can read, write, and execute it.
chmod 700 ~/.ssh
Create an empty
Set the file's permissions so only you, the owner can read and write to it.
chmod 600 ~/.ssh/authorized_keys
Anyone who can provide a private key that matches the public keys stored in this file will have access to the account.
Generate an SSH Key Pair
Next, create a key pair. A key pair is a public key and a matching private key. The public key will be added to the previously created
On your workstation (not the server), open up a Terminal.
Create a directory called
.ssh in your home directory.
Change into the directory.
Generate a key pair.
ssh-keygen -f [your name]@[location of workstation]-[timestamp] -C [your name]@[location of workstation]-[timestamp]
ssh-keygen -f myname@work-2023-05-01 -C myname@work-2023-05-01
You can replace
[your name]@[location of workstation]-[timestamp]with anything you want. But I recommend the above because it will help identify a key by the name of the person it belongs to, the location it will be used from, and the date it was created.
Upon running the command, you will be asked for a passphrase. You can choose anything you want here, or you can leave it blank.
Make sure you understand the security implications of leaving the passphrase blank before you do it.
Two files are created. One without a file extension (the private key) and one with the file extension
.pub (the public key).
myname@work-2023-05-01 contains the private key that will need be provided any time you try to connect to the server. It is not recommended to copy this file to another machine. If you need to connect from multiple machines, create multiple key pairs. Protect this file like a password.
email@example.com contains the public key that can be shared. Any user on any device which has this key entered into its
authorized_keys file grants you access to the user account (as long as you can provide the private key).
Add a Public Key to a User
Once you have a key pair, you'll want to add the public key to a local user account on the server.
From your workstation, copy the public key into the server user's
cat ~/.ssh/[public key filename].pub | ssh [your username]@[your server's IP address or hostname] "cat >> ~/.ssh/authorized_keys"
Be sure to replace
[public key filename] with the actual public key filename,
[your username] with your actual username on the server, and
[your server's IP address/hostname] with your server's actual IP address or hostname.
If you're using a virtual machine, you're connecting from the host machine, and you have port 22 forwarded, you can use
localhostas your server's hostname.
The command will ask for the user's current password so it can log in and append the public key to the
Connecting to the Server using an SSH Key
From your workstation, connect to the server, providing the SSH private key for authentication.
ssh [your username]@[your server's IP address/hostname] -i ~/.ssh/[private key filename]
You will be asked for the key pair's passphrase (if any). Once authenticated, you will be connected to your server as before.
Using a Configured Host
The command you must execute to connect to your server via SSH is tedious to type out. You can alleviate this with a configured host.
On your workstation, create or edit
Host myserver HostName myserver User myusername Port 22 IdentityFile ~/.ssh/[private key filename]
Make sure to replace
myusername with the appropriate values.
With that file saved, you can execute the much shorter
HostNamemust be set to your server's actual IP address or hostname, the
Hostcan be set to anything you like. It is like an alias that identifies the configured host.
Disabling Password Authentication
Once SSH key authentication is set up and working correctly, I suggest disabling the less-secure password authentication method.
/etc/ssh/sshd_config. Somewhere in the file, add the following line.
Restart the SSH server.
sudo systemctl restart sshd
From now on, users cannot use a password to authenticate their SSH sessions with the server; they must provide a valid private key.
If you need to remove access from a particular key pair, edit the server user's
~/.ssh/authorized_keys file. and delete the line which has the public key you want to remove.
Your server is now ready to handle remote connections with public key authentication. Mastering the art of working with public key authentication in OpenSSH opens up a world of secure and efficient remote access possibilities. By following the step-by-step guide outlined in this article, you have gained valuable insights into preparing servers, generating key pairs, configuring user accounts, establishing secure connections, and enhancing overall security by disabling password authentication. Armed with this knowledge, you can confidently navigate the intricate landscape of server administration, ensuring the confidentiality and integrity of your data. Embracing public key authentication in OpenSSH empowers you to take full control of your remote access workflows while upholding the highest standards of security. So, go forth, explore, and harness the power of public key authentication to revolutionize your server management practices.