In this tutorial we will cover the steps needed to set up SSH key authentication on your CentOS 6.4, Debian or Ubuntu platform.

Requirements

  • CentOS 6.4, Debian or Ubuntu installed on your computer/server
  • SSH access (Command line access to the server)
  • root privileges
  • Basic skills for working on a Linux environment

The SSH service supports different types of authentication methods however the most popular ones are password based authentication and key based authentication. The second one is considered to be more secure while the account can be accessed only from a computer where the SSH private key is loaded. It will be very hard for someone to crack the SSH keys because they are strongly encrypted.

Generate SSH key pair

The instructions will be related to normal user called user1.

Prior generation of the keys make sure that a folder called .ssh exists inside the account's home folder and has permissions 700:

Once inside the folder we can generate new SSH key pair:

You will be prompted to specify a file name where the SSH private key will be saved and to type a passphrase for the key. You can set specific file name or hit Enter and leave the default name id_rsa. The SSH public key will be saved with the same file name as the private key file but will have .pub extension. You can set specific passphrase for the key which will be requested later or just hit Enter and leave the field empty.

Authorize the SSH public key

Once created we can authorize the usage of the SSH key pair by adding the SSH public key inside a file called authorized_keys situated inside the .ssh/ folder:

Configure the sshd service

We will assume that SSH password authentication is enabled and we want to switch it to key based one. In order to do that we will need to edit the ssh configuration file as root:

With the above options we disable SSH password authentication and enable the key based one. Here is a short explanation of the options:

  • Port – the port used by the sshd service
  • Protocol - specifies the protocol versions sshd supports. The possible values are 1 and 2
  • SyslogFacility - gives the facility code that is used when logging messages from sshd
  • PermitRootLogin - specifies whether root can login using SSH
  • PubkeyAuthentication - specifies whether public key authentication is allowed
  • AuthorizedKeysFile - specifies the file that contains the public keys that can be used for user authentication
  • PasswordAuthentication - specifies whether password authentication is allowed
  • ChallengeResponseAuthentication - specifies whether challenge response authentication is allowed.
  • GSSAPIAuthentication - specifies whether user authentication based on GSSAPI is allowed
  • GSSAPICleanupCredentials - specifies whether to automatically destroy the user's credentials cache on logout
  • UsePAM - enables the Pluggable Authentication Module interface
  • AcceptEnv - specifies what environment variables sent by the client will be copied into the session's environment.
  • X11Forwarding yes - specifies whether sshd should bind the X11 forwarding server to the loopback address or to the wildcard address.

When ready save the configuration file and restart the sshd service:

If PasswordAuthentication is set to NO you should consider generating SSH key pair for the root user as well otherwise you won't be able to access the server using SSH password authentication.

Test the configuration

Load the SSH private key on your local computer:

You will be prompted to enter the passphrase for the private key.

After that you can try to access the user1's account with:

where X.X.X.X is the server's IP address. An easy way to find your server's IP address is to execute the following command:

Alternatively you can save the private key into file with different name (for example ssh_private_key.txt) and load it when using the SSH command: