Configuring Key-Based SSH Authentication

Posted on 12/30/2015 by Brian Carey

In this post I will show you how to configure Key-Based SSH authentication between a client and server system running Linux.  While this may seem pretty simple to day to day Unix admins, I'm often surprised when I hear someone that I would think knows this says "Can you configure the keys for me?".  In this example I will be configuring the user brian to connect from a system named client to a system named server.  However, in the real world you can use this key to authenticate to any number of servers.

Generating a new key

Assuming you do not already have a valid private/public key pair, you can easily generate one on the client system as follows.  Note that some distro's will probably already have this done for you so you can check first.

  1. Connect to the client system via ssh as the user you want to configure the authentication for.  
  2. Check to see if you already have an existing key pair, for example:
    3. [brian@client ~]$ ls -l ~/.ssh
ls: cannot access /home/brian/.ssh: No such file or directory
  3. As you can see we don't even have the ~/.ssh directory so we don't have keys. Or you may have the directory without the keys shown in the next step.
  4. Assuming you do not have keys that you already wish to use, use the ssh-keygen utility to generate your key pair as follows. You will be prompted to enter a passphrase. While this can sometimes be a good idea based on the use case, if you intend to ever use this key for automation (say with Ansible), do not enter a password.
    5. [brian@client ~]$  ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/brian/.ssh/id_rsa):
Created directory '/home/brian/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/brian/.ssh/id_rsa.
Your public key has been saved in /home/brian/.ssh/id_rsa.pub.
The key fingerprint is:
c6:a7:d8:47:77:56:36:36:82:9f:cd:13:14:49:b8:03 brian@ip-172-31-3-252
The key's randomart image is:
+--[ RSA 2048]----+
|              o+o|
|           E.... |
|           ....=o|
|       .    .o*o+|
|        S o .o++ |
|       + + . o  .|
|      . o .      |
|         .       |
|                 |
+-----------------+
  5. Now, a quick check of the ~/.ssh directory shows that we have keys. The file id_rsa contains your private key and should be kept secure, the file id_rsa.pub contains the public key you will need to configure on the server
    6. [brian@client ~]$ ls -l ~/.ssh
total 8
-rw-------. 1 brian brian 1675 Dec 30 17:06 id_rsa
-rw-r--r--. 1 brian brian  403 Dec 30 17:06 id_rsa.pub
  6. Retrieve your public key to use for server configuration:
    7. [brian@client ~]$ [brian@ip-172-31-3-252 ~]$ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAouz/Oyq/Xi2HAW8I4MQIHYqiIW57YZyv3UYY/CShIIhw0JkS1QyZPJElBnbiKccEM1tScrY2CrjNLI459cxXWtbgb/sfuB4qrAa8y3/lGKT9rc7zVgeyg9XPP9dFkNwlqTnjmGY7U+9zLxgZK2/D54EwDqQ3lf7TrSV+U772n634FmzC9E/gjv4lAqBGjj+dLusolpekjl3izDpu18mOE4cvQfFSZtAGgoVKoURt0cYhCuMKYrciXRTUM5HoxK5OT1l0CbC7EH4dfWIps2foGJEDCl99A3BxwuQ1a68ier8OPmdjHgepKzciCpRTpPKoOW7dZilBwi2LLgBmoeTCiw== brian@client

Configuring the Server

  1. Connect to the server system via ssh as the user you want to configure the authentication for.  
  2. Ensure that the ~/.ssh directory exists and has the proper permissions:
    3. [brian@server ~]$ mkdir -p ~/.ssh
[brian@server ~]$ chmod 700 ~/.ssh
  3. Using your favorite text edirot, add your public key to the authorized_keys file and set the proper permissions. In this case I use vi to edit the authorized_keys file and add the key from the last step in the previous section to it.
    4. [brian@server ~]$ vi ~/.ssh/authorized_keys
[brian@server ~]$ chmod 600 ~/.ssh/authorized_keys
  4. Test the connection from client to server. Success!
    5. [brian@client ~]$ ssh server
The authenticity of host 'server' can't be established.
RSA key fingerprint is 78:de:1a:c5:96:d1:79:4b:6f:db:36:aa:b9:e0:53:c7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
[brian@server ~]$