How to set up SSH key authentication in Linux for more secure logins

Woman working on laptop with headphones.

Image: Oscar Wong/Getty Images

Secure Shell (SSH) is the de facto standard for accessing remote Linux machines. SSH long ago replaced telnet to add a much-needed layer of security for remote logins.

However, that doesn’t mean that the default SSH configuration is the best option for those who are a little more concerned about the security of their systems. By default, SSH works with traditional user and password logins. And while these logins are far more secure than Telnet, you’re still typing a password and sending it over the Internet.

Should someone intercept this password, they could access your machines (as long as they also knew your username).

There’s a much better way. This way is SSH key authentication. With key authentication, you bypass username and password authentication and replace them with a key pair. Why is that important? The main reason for extra security is that the only way to access these servers (when properly configured for SSH key authentication) is to have the matching key pair.

Likewise: How to make SSH even more user-friendly with configuration files

This is how it works:

  1. You generate an SSH key.

  2. You upload the public key to a remote server.

  3. You configure SSH to only allow key authentication.

  4. You log in from a desktop that contains the private key that matches the public key on the server.

Once configured correctly, you will only be able to access the server remotely if you have the appropriate private key. Without this key you will not get access. As long as you keep this private key secret, everything is fine.

But how do you do that? let me show you

requirements

To set up SSH key authentication, you need at least two Linux computers, one to log into and one to log into. I’m demonstrating using Pop!_OS as the desktop and Ubuntu Server as the remote server. However, this should work the same on almost any Linux distribution. You also need a user with sudo privileges. You should also make sure you have the same username on local and remote computers.

That’s it. Let’s do some SSH magic.

Likewise: How to install Ubuntu Server in less than 30 minutes

How to set up SSH key authentication in Linux for more secure logins

Open a terminal window on your desktop operating system.

In the terminal window, generate your SSH key pair with the following command:

ssh-keygen

You will first be asked where you want to save the key. I suggest saving it to the default location, so just hit enter when prompted. You will then be prompted to enter and confirm a password for the key pair. Make sure this password is strong and unique. Do not go with a blank password as it is not secure.

Likewise: Don’t Use These Passwords: These are the 10 logins most often found for sale online

This is where it gets a little tricky. You need to send the public key to the remote server. To do this, you need to know the IP address of the server. You can get the IP address of the server by logging in and running the command ip a. You should see the IP address listed. With this information, go back to the desktop and send the public key to the server with the following command:

ssh-copy-id SERVER

Where SERVER is the IP address of the remote server.

You will be prompted for the password for your user on the remote server. Once you have successfully authenticated, the public key will be copied and the SSH key authentication is ready. When you try to log in to the remote server, you will now be asked for your SSH key password and not your user password.

How to configure the remote server for SSH key authentication

After copying your key, log in to the remote computer. What we are going to do now is configure the SSH server to only allow connections over SSH. One thing to note before doing this is that once configured, access will only be granted to people with SSH key authentication set up on the machine. Because of this, you should make sure you’ve copied SSH keys from any desktop computers you use to log into the remote server.

Likewise: How to manage SSH connections on MacOS with Termius

With it, open the SSH daemon configuration file on the remote server with the following command:

sudo nano /etc/ssh/sshd_config

In this file look for the line:

PasswordAuthentication yes

Change this line to:

PasswordAuthentication no

Save and close the file. Restart SSH with:

sudo systemctl restart sshd

Now the only way to successfully access this computer is through SSH key authentication. Any computer that does not have a matching key pair will be denied access.

Congratulations, you’ve just added another layer of security to your Linux servers.

Read  Act quickly to fully decarbonize the economy

Leave a Comment

Your email address will not be published. Required fields are marked *