Secure your SSH server with Public/Private key authentification — page 2

1 minute read

2. Adding the public key to the authorized key

In the first place, we need to upload the key to the remote machine:

user@host:~$ scp ~/.ssh/id_rsa.pub remoteuser@remotehost:~/

Now, the public key is uploaded, let’s add it to the authorized keys. To do so, we are going to connect to remotehost as remoteuser and add the key at the end of file ~/.ssh/authorized_keys and delete it once added:

$ ssh remoteuser@remotehost
remoteuser@remotehost's password:
remoteuser@remotehost:~$ cat id_rsa.pub >> ~/.ssh/authorized_keys
remoteuser@remotehost:~$ rm id_rsa.pub
remoteuser@remotehost:~$ exit

Now, we need to configure the remote SSH server to accept authentication by key pair. This is usually enabled by default. If not, the next section will cover how to activate key based authentication.

3. Activating key based authentication on the server

To do so, we need to connect as root on the remote machine. This can be achieved either by connecting to root directly:

$ ssh root@remotehost

or by connecting to the remote machine with a normal user:

$ ssh remoteuser@remotehost

and the either (usually for Ubuntu boxes):

remoteuser@remotehost:~$ sudo su -

or (Debian boxes)

remoteuser@remotehost:~$ su -

depending on your default settings.

Now open and edit /etc/ssh/sshd_config and make sure you have the following line:

RSAAuthentication yes
PubkeyAuthentication yes

Then reload your configuration:

/etc/init.d/ssh reload

Okay, now you should be able to connect to remoteuser@remotehost without supplying a password (but the passphrase of you private key if you supplied any) by simply typing the following:

user@host:~$ ssh remoteuser@remotehost
remoteuser@remotehost:~$

Or, if your private key file is not the standard ~/.ssh/id_rsa, you can inform ssh by using the -i switch as follow:

user@host:~$ ssh -i /path/to/private/key remoteuser@remotehost

Once you are sure that you can log into the remote host using your private key, we can safely disable the username/password authentication.