Nowadays passwords are not much secured. If you pick a strongest password including all upper case, lower case alphabet and numbers with special characters, the password is still susceptible to the brute-force attack. It’s a human nature to use a same password for different remote hosts which can put you at more risk of a brute-force attack. This means if one account has compromised then all your other accounts sharing same password might get compromised.
Using SSH public key authentication to make the connection to remote system is more secure and robust method than login with account password. SSH public key authentication is an authentication method that relies on asymmetric cryptographic algorithms that generate a pair of separate keys, one private and the other public. Private Key is the secret key which is stored on the computer you use to connect to the remote system. Public key as the name suggest you can share with anyone without compromising the Private Key and it stored on the remote system which you will be accessing.
For SSH Public key authentication below points, you need to take care of
- The remote system must have a version of SSH installed. This article is based on OpenSSH and might not work if it has different SSH.
- The computer you use to connect to the remote server must have a version of SSH.
Setting Public Key Authentication Using SSH on Linux or OS X Computer
- Login to the computer which you will be using to access remote system & run the below command to generate key pair using RSA or DSA algorithm.
- Use SFTP or SCP to copy the public key file (e.g., ~/.ssh/id_dsa.pub) to your account on the remote system (e.g., [email protected])
- Add your public key to the
~/.ssh/authorized_keysfile in your account (if your account doesn’t have ~/.ssh/authorized_keys file, system administrators can create one for you). Once your public key is added to your
~/.ssh/authorized_keysfile on the remote system, the setup process is complete, and you should now be able to SSH to your account from the computer that has your private key.
- So now you’re all set to log in using public key authentication. Instead of being asked for your password on remote system, you’ll instead be asked for the passphrase you’ve used to encrypt your local, private key.
[email protected]:~$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/kodehelp/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/kodehelp/.ssh/id_dsa. Your public key has been saved in /home/kodehelp/.ssh/id_dsa.pub. The key fingerprint is: f3:77:56:58:a8:bb:08:59:67:15:2c:0e:1d:d0:40:a3 [email protected] [email protected]:~$
Now you have public-private keypair. The file id_dsa is the private key and the file id_dsa.pub is the public key. Make sure that no one else has access to private key. Verify below
[email protected]:~$ chmod 700 $HOME/.ssh [email protected]:~$ chmod 600 $HOME/.ssh/id_dsa* [email protected]:~$ ls -la .ssh total 10 drwx------ 2 kodehelp kodehelp 512 Apr 25 16:12 . drwx-----x 12 kodehelp kodehelp 1024 Apr 24 2015 .. -rw------- 1 kodehelp kodehelp 1264 Apr 25 16:12 id_dsa -rw------- 1 kodehelp kodehelp 1123 Apr 25 16:12 id_dsa.pub [email protected]:~$
[email protected]:~$ssh remotehost.example.com Enter passphrase for key '/home/kodehelp/.ssh/id_dsa': Last login: Tue Apr 28 19:40:10 2015 from localhost.example.com [email protected]:~$