Nowadays passwords are not much secured. If you pick the strongest password including all upper case, lower case alphabet, and numbers with special characters, the password is still susceptible to the brute-force attack. It’s human nature to use the same password for different remote hosts which can put you at more risk of a brute-force attack. This means if one account has compromised then all your other accounts sharing the same password might get compromised.
Using SSH public key authentication to make the connection to the remote system is a more secure and robust method than login with an account password. SSH public key authentication is an authentication method that relies on asymmetric cryptographic algorithms that generate a pair of separate keys, one private and the other public.
A Private Key is a secret key that is stored on the computer you use to connect to the remote system. The Public key as the name suggests you can share with anyone without compromising the Private Key and it stored on the remote system which you will be accessing.
For SSH Public key authentication below points, you need to take care of
- The remote system must have a version of SSH installed. This article is based on OpenSSH and might not work if it has different SSH.
- The computer you use to connect to the remote server must have a version of SSH.
2. Public Key Authentication Using SSH on Linux or OS X
- Log in to the computer which you use to access the remote system & run the below command to generate key pair using RSA or DSA algorithm.
[email protected]:~$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/kodehelp/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/kodehelp/.ssh/id_dsa. Your public key has been saved in /home/kodehelp/.ssh/id_dsa.pub. The key fingerprint is: f3:77:56:58:a8:bb:08:59:67:15:2c:0e:1d:d0:40:a3 [email protected] [email protected]:~$
Now you have public-private keypair. The file id_dsa is the private key and the file id_dsa.pub is the public key. Make sure that no one else has access to private key. Verify below
[email protected]:~$ chmod 700 $HOME/.ssh [email protected]:~$ chmod 600 $HOME/.ssh/id_dsa* [email protected]:~$ ls -la .ssh total 10 drwx------ 2 kodehelp kodehelp 512 Apr 25 16:12 . drwx-----x 12 kodehelp kodehelp 1024 Apr 24 2015 .. -rw------- 1 kodehelp kodehelp 1264 Apr 25 16:12 id_dsa -rw------- 1 kodehelp kodehelp 1123 Apr 25 16:12 id_dsa.pub [email protected]:~$
- Use SFTP or SCP to copy the public key file (e.g.,
~/.ssh/id_dsa.pub) to your account on the remote system.
- Add your public key to the
~/.ssh/authorized_keysfile in your account (if your account doesn’t have ~/.ssh/authorized_keys file, system administrators can create one for you). Once your public key is added to your
~/.ssh/authorized_keysfile on the remote system, the setup process is complete, and you should now be able to SSH to your account from the computer that has your private key.
- So now you’re all set to log in using public-key authentication. Instead of being asked for your password on the remote system, you’ll instead be asked for the passphrase you’ve used to encrypt your local, private key.
[email protected]:~$ssh remotehost.example.com Enter passphrase for key '/home/kodehelp/.ssh/id_dsa': Last login: Tue Apr 28 19:40:10 2015 from localhost.example.com [email protected]:~$