Setup Public Key Authentication on Ubuntu or Debian

Introduction

In this tutorial, I will be showing you how you can setup OpenSSH to allow you to securely login via SSH Keys. This is very useful as it adds an extra level of authentication and also works as a great protection against people trying to guess your passwords!

Prerequisites

In order to follow this tutorial, you will need the following

  • Ubuntu/Debian Machine
  • OpenSSH-Server installed
  • Sudo privledges (or root access)

Generating the SSH Key

The first thing we will need to do is to run the ssh-keygen command which will automatically generate the ssh login key for us. Make sure to do this for the user you plan to login with. When you do this, you will then be prompted to answer a few questions. I will explain each of these in the below sections however you can see a screenshot of what this looks like below as well.

 ssh-keygen

Save Location

The first question you will be asking where you would like to save this file. By default, it will be in your user directory inside a directory called .ssh with the name of id_rsa. If you are happy with this, just press enter. If you plan on generating multiple keys, it will be good idea to enter the full path followed by the file name as seen below

 Enter file in which to save the key (/home/user/.ssh/id_rsa):
 /home/user/.ssh/my_key

Passphrase

The next question will be asking if you want to choose a passphrase to protect this key. If you have security in mind, you should come up with a secure passphrase for this. If not, you can just leave this blank. Beware, if you do type something in, it will not show up!

 Enter passphrase (empty for no passphrase):
 Enter same passphrase again:

File Permissions

The next step is to make sure that the keys created have the appropriate permissions. If you do not do this, it will not work. You can do this by changing to the directory you saved these in. You then need to set the directory so only owner can read, write and execute and set the files within the directory so only the owner can read and write.

cd ~/.ssh;
chmod 700 ~/.ssh;
chmod 600 ~/.ssh/*;
ls

You can also run the ls command to list everything which should output the following

id_rsa  id_rsa.pub

After this, we can now add the public key into our authorised keys file. We can do this with the following command

cat id_rsa.pub >> authorized_keys

You then need to make sure that this file has the correct permissions.

chmod 600 ~/.ssh/*;

Editing the SSH Config File

The next step is to enable this option in our SSH config file. To do this, I will be using the editor nano but feel free to use another if you prefer that one!

sudo nano /etc/ssh/sshd_config

Enable the Authorised Keys file

This will probably be a large file but you will need to keep scrolling and find the line below. When you find this, you will need to remove the # symbol. This will enable the use of the file we created earlier.

#AuthorizedKeysFile      %h/.ssh/authorized_keys

[h2]OPTIONAL - Disable password authentication[/h2]
If you would like to disable password logins then you can follow this step. The other line to look out for is where it says

#PasswordAuthentication yes

This should be replaced with

PasswordAuthentication no

Saving and restarting

When you have made the above changes, you can now save and exit. To save the file in Nano, you will need to press Ctrl + O and then Enter. To exit, you can press Ctrl + X. You can then restart the SSH Service using the following command.

sudo service ssh restart

Transferring the private key

To transfer the private key to other machines, you can either cat it and copy it to new machines or use SCP. Checkout this guide for info how to do that.

Connecting to the machine

If you need to connect to this machine over ssh using the new private key, you can use the following command

ssh user@hostname -i /location/to/private/key -p port