SSH Key Authentication
The SSH server provides many different ways for clients to authenticate. The most common way is password authentication, however this can leave you open to password brute force attacks.
Any easy way to secure your ssh server is to change to using Key-Based Authentication instead of password authentication. This requires the client to authenticate with it’s private key which has to match a public key installed on the server (key pair) to get access.
This article will explain how to create, install and authenticate with a key-pair.
The first step is to make sure you can ssh to the server from your client. We are assuming that you can connect using password authentication.
Check that key authentication is enabled in sshd_config
On the server, log in as root and change to your ssh server configuration directory:
In there is the configuration file sshd_config. You will want to check for that key authentication is enabled:
If you had to make a configuration change to sshd_config then restart the ssh service
Create ssh keypair
You will need to create a key pair for the client and then install your public key on the server. If you did not have access to this server to do it you would send your public key to the server administrator to install.
For this scenario, we assume you are the server administrator and have a current method to access the server (such as password based ssh authentication).
First decide on the encryption strength of your key which is determined by algorithm and key size.
An explanation from ssh.com:
- rsa – an old algorithm based on the difficulty of factoring large numbers. A key size of at least 2048 bits is recommended for RSA; 4096 bits is better. RSA is getting old and significant advances are being made in factoring. Choosing a different algorithm may be advisable. It is quite possible the RSA algorithm will become practically breakable in the foreseeable future. All SSH clients support this algorithm.
- dsa – an old US government Digital Signature Algorithm. It is based on the difficulty of computing discrete logarithms. A key size of 1024 would normally be used with it. DSA in its original form is no longer recommended.
- ecdsa – a new Digital Signature Algorithm standarized by the US government, using elliptic curves. This is probably a good algorithm for current applications. Only three key sizes are supported: 256, 384, and 521 (sic!) bits. We would recommend always using it with 521 bits, since the keys are still small and probably more secure than the smaller keys (even though they should be safe as well). Most SSH clients now support this algorithm.
- ed25519 – this is a new algorithm added in OpenSSH. Support for it in clients is not yet universal. Thus its use in general purpose applications may not yet be advisable.
For your client user, run the following in a shell to create a keypair:
ssh-keygen -t [Algorithm] -b [key size]
Let’s create an ecsda key 512 bits in size:
ssh-keygen -t ecdsa -b 521
Follow the prompts.
With or without passphrase?
If you decide to not encrypt it with a passphrase then if someone got a copy of your private key they can use it to gain access to the server. Always encrypt your keys on vulnerable devices such as laptops.
Copy ssh public key
If you have password access to the server, you can use ssh-copy-id from the client, for example:
ssh-copy-id -i ~/.ssh/mypublickey user@server
Make sure it’s the public key you are providing. You should never share your private key.
Sending / setting up manually when client don’t have password access
You would need to work with someone who has authorised access to the server such as the administrator. Then you would share your public key via methods such as email / file sharing / download etc.
Connecting with key
When default key location
If you are using a key with a default filename then it is simply
When using a different key (ssh -i file)
When the key does not have a default name or is in another folder location you will use -i to point to your key. Note that this is your private key
ssh -i /home/user/mysshkey user@server
Verbose output for troubleshooting
Use to verbose option to help troubleshoot any issues
ssh -v -i /home/user/mysshkey user@server
Disable Password Authentication
This is optional. Once you are set up with key authentication, you may want to disable all password authentication for security.
To do this, edit your sshd_config: