How to Use Public Key Authentication with SSH

Introduction

Public Key Authentication is a secure logging method using SSH. Instead of a password, the procedure uses a cryptographic key pair for validation. Although using a strong password helps prevent brute force attacks, public key authentication provides cryptographic strength and automated passwordless logins.

This guide gives step-by-step instructions on how to implement public key authentication from scratch.

How to Use Public Key Authentication with SSH

Prerequisites

  • Command line/terminal access with administrator privileges.
  • SSH enabled. Follow our guides to turn on SSH on Linux: Ubuntu 20.04, Debian 9 or 10.
  • A local and remote server.

Using SSH Key for authentication

The SSH public key authentication has four steps:

1. Generate a private and public key, known as the key pair. The private key stays on the local machine.

2. Add the corresponding public key to the server.

3. The server stores and marks the public key as approved.

4. The server allows access to anyone who proves the ownership of the corresponding private key.

The model assumes the private key is secured. Adding a passphrase to encrypt the private key adds a layer of security good enough for most user-based cases. For automation purposes, key management software and practices apply since the private key stays unprotected otherwise.

Generating SSH Key Pair

Generate the SSH key pair on the local server using OpenSSH. The basic instructions for Linux, macOS, and Windows are outlined below.

Linux and macOS

1. Open the terminal (CTRL+ALT+T).

2. Check for existing keys with:

ls -l ~/.ssh/id*

If there are keys already, the output shows the directory contents:

Listing contents of the .ssh folder

Generating new keys overwrites the current ones by default. However, stating a new name for the keys saves them to different files.

If there are no existing keys, the output indicates the folder does not exist:

Output message of no .ssh directory

3. Create the directory using the mkdir command for storing the new key pair:

mkdir ~/.ssh

4. Change the permissions to 700:

chmod 700 ~/.ssh

5. The following command starts the key generator:

ssh-keygen

The output prints out a message, indicating the command ran successfully. Next, the program asks where to save the file:

Output of the ssh-keygen command

The default directory and file for key storage is /home/<username>/.ssh/id_rsa. If you have existing keys you want to keep, enter a new file name. Otherwise, press Enter to save in the default location. If any keys already exist in this location, the program overwrites the data.

6. Finally, enter a passphrase to secure the key. Press Enter and confirm the passphrase once more when requested. The password is required any time you use the key for authentication.

Entering a passphrase for ssh-keygen

7. Lastly, the program prints out information about where the keys are stored. Additionally, a digital and a graphic representation print to the console too.  

Output of generated keys from ssh-keygen

8. Confirm the keys are in the directory by checking the contents:

 ls -l ~/.ssh/
Public and private key in the .ssh folder

The directory now contains two files:

  • id_rsa is the private key.
  • id_rsa.pub is the public key.

Windows

1. Use the Windows search box to find cmd and open the Command Prompt window.

2. In the prompt, type:

ssh-keygen

The command starts the program for generating the key pair.

Note: Command not working? Don't worry. There are other ways to generate the keys. Try following our detailed tutorial for generating an SSH key pair on Windows 10.

3. If you set up a specific location for the keys, type in the path now. Otherwise, press Enter to save the keys in the default path.

Running ssh-keygen on Windows

If keys exist in this location, the output asks to confirm the overwrite. Type Y to confirm and press Enter to continue the setup.

4. Enter the passphrase to encrypt the private key. Re-enter the same passphrase and press Enter to finish generating the key pair.

Final output of ssh-keygen on windows

Configuring one or multiple SSH/SFTP Users for Your Key

After generating a key pair, the next step is to configure the server machine for SSH and SFTP users for the key.

1. On the server machine, check if the ~/.ssh folder exists:

ls -l ~/.ssh/

If the directory is non-existent, create the folder:

mkdir ~/.ssh

Next, change the permissions with:

chmod 700 ~/.ssh

2. Create a file called authorized_keys in the ~/.ssh directory:

touch authorized_keys

Change the permissions:

chmod 600 ~/.ssh/authorized_keys

3. Next, open the authorized_keys file using a text editor. Copy the public key contents into the authorized_keys file. For multiple users and keys, copy each new key onto a new line. Save the file and close.

In Linux, use this command to copy the key automatically:

ssh-copy-id <username>@<host>
Output of the command ssh-copy-id

The output shows the number of keys automatically copied to the server along with further instructions.

For transferring files via SSH, multiple solutions exist:

  • Use SSHFS for Linux, macOS, or Windows
  • Use RSync as an alternative for Linux.

Logging in

After generating and copying the keys, log into your server from the local machine using the following command:

ssh <username>@<host>

Note: If you do not specify a username, SSH uses the currently logged in user.

The command brings up a prompt for entering the private key password:

Prompt for unlocking private key

Lastly, enter the password to unlock the key:

Logging in via ssh with public key authentication

Once verified, the command logs you into the server via SSH.

Why should you use Public Key Authentication with SSH?

Public key authentication is a safer and recommended way to connect with SSH instead of a regular password login.

Some benefits are:

  • The SSH key pair is harder to hack. Since most SSH keys are at least 1024 bits long, which is equivalent to a password with 12 characters, the connection is secure. To improve security even further, increase the number of bits when generating the keys.
  • The contents of the keys are generated using a computer algorithm, making them harder to predict.
  • Only the machine where the private key resides has access.
  • Public key authentication never shows the contents of the private key to the server. In case of server compromise, the local machine stays safe.
  • An added password to the private key adds multi-factor authentication.

Conclusion

At the end of this tutorial, you should have set up public key authentication for SSH. Whether you're accessing a remote server via SSH or using SFTP to transfer files between two locations, the key pair provides additional security.

For further details about SSH, read about the 5 Linux SSH Security Best Practices to Secure Your Systems.

Was this article helpful?
YesNo
Milica Dancuk
Milica Dancuk is a technical writer at phoenixNAP who is passionate about programming. Her background in Electrical Engineering and Computing combined with her teaching experience give her the ability to easily explain complex technical concepts through her content.
Next you should read
How to Fix the SSH "Connection Refused" Error
November 12, 2020

Fix SSH connection refused by troubleshooting some of the common causes for this problem. Take a look of all the reasons for connection refused error and how to fix the problem.
Read more
How to Fix SSH Failed Permission Denied (publickey,gssapi-keyex,gssapi-with-mic)
February 4, 2021

The Permission Denied (publickey,gssapi-keyex,gssapi-with-mic) error appears...
Read more
How to Use SSH Port Forwarding
May 18, 2020

This article demonstrates 3 distinct methods used to port forward SSH connections. It examines the syntax of the individual commands and teaches you everything you need to know to implement SSH port...
Read more
How to SSH into a Running Docker Container and Run Commands
October 24, 2019

This knowledge base article explains how to SSH into a running Docker container. Docker exec and docker attach commands are the preferred methods...
Read more