Prerequisites:
- ~/.ssh exists
- access to root user
Step 1 — Creating the Key Pair
The first step is to create a key pair on the client machine (usually your computer):
ssh-keygen
By default, recent versions of ssh-keygen
will create a 3072-bit RSA key pair, which is secure enough for most use cases (you may optionally pass in the -b 4096
flag to create a larger 4096-bit key).
After entering the command, you should see the following output:
when asked for a file name please enter a name of your choice followed by the enter key
Press enter to save the key pair into the .ssh/
subdirectory in your home directory, or specify an alternate path.
If you had previously generated an SSH key pair, you may see the following prompt:
If you choose to overwrite the key on disk, you will not be able to authenticate using the previous key anymore. Be very careful when selecting yes, as this is a destructive process that cannot be reversed.
You should then see the following prompt:
Here can enter a secure passphrase, which is highly recommended. A passphrase adds a layer of security to prevent unauthorized users from logging in.
You should then see the output similar to the following:
You now have a public and private key that you can use to authenticate. The next step is to place the public key on your server so that you can use SSH-key-based authentication to log in.
Step 2:
Copying the Public Key The Ubuntu Server
ssh-copy-id username@remote_host
Output
The authenticity of host '103.0.113.132 (103.0.113.132)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
Next, the utility will scan your local account for the bhargavTest.pub key that we created earlier. When it finds the key, it will prompt you for the password of the remote user’s account:
Output
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
bhargav@103.0.113.132's password:
Type in the password (your typing will not be displayed, for security purposes) and press ENTER. The utility will connect to the account on the remote host using the password you provided. It will then copy the contents of your ~/.ssh/id_rsa.pub key into a file in the remote account’s home ~/.ssh directory called authorized_keys.
You should see the following output:
Output
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'bhargav@103.0.113.132'"
and check to make sure that only the key(s) you wanted were added.
Step 3 — Authenticating Your Ubuntu Server Using SSH Keys
If you have completed one of the procedures above, you should be able to log into the remote host without providing the remote account’s password.
The basic process is the same:
ssh username@remote_host
in my case
bhargav@103.0.113.132
If this is your first time connecting to this host (if you used the last method above), you may see something like this:
Output
The authenticity of host '103.0.113.132 (103.0.113.132)' can't be established.
ECDSA key fingerprint is rd:rd:r4:g7:77:fe:73:84:e1:65:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
This means that your local computer does not recognize the remote host. Type “yes” and then press ENTER to continue.
If you did not supply a passphrase for your private key, you will be logged in immediately. If you supplied a passphrase for the private key when you created the key, you will be prompted to enter it now (note that your keystrokes will not display in the terminal session for security). After authenticating, a new shell session should open for you with the configured account on the Ubuntu server.
If key-based authentication was successful, continue to learn how to further secure your system by disabling password authentication.
At this point, if you can log in to the server without a password you have successfully configured ssh.
Step - 4
confirm that your remote account has administrative privileges, log into your remote server with SSH keys, either as root or with an account with sudo privileges. Then, open up the SSH daemon’s configuration file:
sudo nano /etc/ssh/sshd_config
Inside the file, search for a directive called PasswordAuthentication. This line may be commented out with a # at the beginning of the line. Uncomment the line by removing the #, and set the value to no. This will disable your ability to log in via SSH using account passwords:
/etc/ssh/sshd_config
PasswordAuthentication no
Save and close the file when you are finished by pressing CTRL+X, then Y to confirm saving the file, and finally ENTER to exit nano. To activate these changes, we need to restart the sshd service:
sudo systemctl restart ssh
As a precaution, open up a new terminal window and test that the SSH service is functioning correctly before closing your current session:
ssh username@remote_host
Once you have verified your SSH service is functioning properly, you can safely close all current server sessions.
The SSH daemon on your Ubuntu server now only responds to SSH-key-based authentication. Password-based logins have been disabled.
Top comments (0)