Table of Contents
SSH can handle authentication using a traditional username and password combination or by using a public and private key pair. The SSH key pair establishes trust between the client and server, thereby removing the need for a password during authentication. While not required, the SSH private key can be encrypted with a passphrase for added security.
- Local terminal shell with OpenSSH
- Remote server accessible over OpenSSH
Create Private and Public Keys
It should first be confirmed that an existing public and private key do not already exist.
ls -l ~/.ssh/
If either of the below filename pairs are present, then an RSA or DSA key pair already exist and you can move onto the next step of copying the public key to the remote server.
- id_dsa / id_dsa.pub
- id_rsa / id_rsa.pub
Note: This tutorial will describe creating an RSA key pair. If a DSA key pair is already present, then an RSA key pair can safely be created along side the existing DSA key pair.
The RSA key pair can now be created. The bit length will default to 2048 bits which is considered sufficient. A larger key length can be defined with the
-b size parameter if desired.
ssh-keygen -t rsa
You will be prompted for a passphrase which is optional. A passphrase will protect the private key could should it ever become compromised. If no passphrase is needed, simply leave the field blank. There should now be two files in the
- id_rsa - Private RSA key
- id_rsa.pub - Public RSA key
Copy the Public Key to the Server
The public key is now ready to be copied to the remote server. The
ssh-copy-id command can be used to automatically copy the public key to the remote server.
This will usually complete the process. The content of
id_rsa.pub is simply appended to the
~/.ssh/authorized_keys file on the remote server. Here is an example of copying the public key to the remote server manually if necessary.
cat ~/.ssh/id_rsa.pub | ssh email@example.com "cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
An error message showing "No such file or directory" may appear if the destination
.ssh directory does not already exist. In this case, the directory will need to first be created.
ssh firstname.lastname@example.org "mkdir -p ~/.ssh && chmod 700 ~/.ssh"
Note: Neither the
.ssh directory nor the
authorized_keys file must allow group writable permissions for SSH key authentication to work successfully.
SSH should now use the private and public key pair for authentication. If there are any problems, the
/var/log/secure log file on the remote server should provide some insight. However, this file is likely only viewable by an administrative user.