This guide provides an overview of different SSH authentication methods, with a particular focus on SSH key-based authentication. Additionally, this guide will walk you through the steps on how to configure SSH key-based authentication in Linux and Unix-like operating systems.
This Step-By-Step guide covers the following topics:
- Types of SSH Authentication methods,
- Overview of SSH Key-based authentication method,
- Advantages of Key-based authentication method,
- Generating a key pair,
- Copy the public key to the SSH server,
- Disable password-based authentication,
- Test SSH password authentication,
- And finally add new clients to SSH server.
Table of Contents
Types of SSH Authentication Methods
Secure Shell, shortly SSH, is the cryptographic network protocol that allows you to securely communicate/access a remote system over unsecured network, for example Internet.
Whenever you send a data over an unsecured network using SSH, the data will be automatically encrypted in the source system, and decrypted in the destination side.
SSH provides four authentication methods namely password-based authentication,key-based authentication, Host-based authentication, and Keyboard authentication.
The most commonly used authentication methods are password-based and key-based authentication methods.
In password-based authentication, all you need is the password of the remote system's user. If you know the password of remote user, you can access the respective system using "ssh user@remote-system-ip" command.
On the other hand, in key-based authentication, you need to generate SSH key pairs and upload the SSH public key to the remote system in order to communicate it via SSH.
Each SSH key pair consists of a private key and public key. The private key should be kept within the client system, and the public key should be uploaded to the remote systems. You should not disclose the private key to anyone.
What is SSH Key-based Authentication?
SSH key-based authentication is a method of authenticating a user to an SSH server using a pair of cryptographic keys. The keys are generated using a key-pair generator, such as the ssh-keygen command. The private key is kept secret by the user, while the public key is shared with the SSH server.
When the user attempts to connect to the SSH server, the server will first check the user's public key against a list of authorized keys. If the public key is found, the server will then challenge the user to provide the corresponding private key. If the user can successfully provide the private key, they will be authenticated and granted access to the SSH server.
SSH key-based authentication is considered to be more secure than password-based authentication because it does not rely on passwords, which can be easily guessed or stolen. Additionally, SSH key-based authentication can be used to automate logins, which can be useful for tasks such as running scripts or transferring files.
Key-based authentication is the most secure type of SSH authentication. However, it can be more difficult to set up and use than password-based or keyboard-interactive authentication.
Here are the steps on how to set up SSH key-based authentication:
- Generate a key pair on your computer using the ssh-keygen command.
- Copy the public key to the SSH server's authorized_keys file.
- Disable password-based authentication on the SSH server.
- Once you have set up SSH key-based authentication, you can connect to the SSH server without having to enter a password.
Advantages of Key-based Authentication
Here are some advantages of SSH key-based authentication:
- Enhanced Security: SSH key-based authentication is significantly more secure than password-based authentication. It is resistant to brute-force attacks and is highly unlikely to be guessed or cracked.
- Protection Against Password Theft: Since there are no passwords involved, there's no risk of someone intercepting and stealing your password during the authentication process.
- Key Pairs for User and Server: SSH key pairs consist of a public key and a private key. The public key is placed on the server, and the private key is kept on the client machine. This separation adds an extra layer of security, as the private key never leaves your device.
- Convenience: Once set up, SSH key-based authentication allows you to log in without having to remember or type passwords. It's especially useful for frequent logins or automation tasks.
- Automation and Scripting: SSH key-based authentication is widely used in automation and scripting, as it allows processes to securely connect to remote servers without manual password input.
- Multi-Factor Authentication (MFA) Support: SSH key-based authentication can be used in conjunction with MFA, providing an additional layer of security by requiring a second authentication factor (e.g., a passphrase or a hardware token) in addition to the key.
- Revocation and Key Management: If a private key is compromised or needs to be revoked for any reason, you can simply remove the corresponding public key from the authorized keys list on the server. This immediate control over access is advantageous.
- Auditing and Accountability: SSH key-based authentication provides a clear audit trail of who accessed a server, as each user's access is tied to their unique key. This can be beneficial for compliance and security monitoring.
- Compatibility: SSH key-based authentication is widely supported across different operating systems and SSH clients, making it a versatile and cross-platform solution.
- Reduced Password Fatigue: Users don't have to remember or manage complex passwords for multiple servers, reducing the risk of using weak or reused passwords.
- Longer Key Lengths: SSH key pairs use longer cryptographic keys compared to typical passwords, making them more resilient to attacks.
In summary, SSH key-based authentication offers a combination of strong security and convenience, making it a preferred choice for securing remote access to servers and systems.
Hope you got the basic idea about SSH and its authentication methods. Now let us move on to see how to configure SSH key-based authentication in Linux step by step.
Configure SSH Key-based Authentication in Linux
For the purpose of this guide, I will be using two Debian Linux systems. Debian 11 with IP address 192.168.1.101 is the local system and Debian 12 server with IP address 192.168.1.20 acts as remote system i.e. ssh server.
Local system details:
- OS : Debian 11 Cinnamon Desktop
- IP address : 192.168.1.101 /24
Remote system (SSH Server) details:
- OS : Debian 12 Server
- IP address : 192.168.1.20/24
Step 1: Generate SSH Key Pair in Local System
As stated already, in SSH key-based authentication method, the public key should be uploaded to the remote system that you want to access via SSH. The public keys will usually be stored in a file called ~/.ssh/authorized_keysin the remote SSH systems.
Important note: Do not generate key pairs as root, as only root would be able to use those keys. Create key pairs as normal user.
Now, let us create the SSH key pair in the local system. To do so, run the following command in your local client system.
$ ssh-keygen
The above command will create a 3072 bit RSA key pair. Enter the passphrase twice. More importantly, remember your passphrase. You'll need it later.
Sample output:
Generating public/private rsa key pair. Enter file in which to save the key (/home/ostechnix/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ostechnix/.ssh/id_rsa Your public key has been saved in /home/ostechnix/.ssh/id_rsa.pub The key fingerprint is: SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ostechnix@pvedebian The key's randomart image is: +---[RSA 3072]----+ | Bo..o..o.o | |* =.o.o o . | |.+ + o+.. | |..o =.E+ | |oX + .. S | |O * o | |++ = | |.oX | |*=o+ | +----[SHA256]-----+
In case you have already created the key pair, you will see the following message. Just type "y" to overwrite the existing key .
/home/username/.ssh/id_rsa already exists. Overwrite (y/n)?<strong>y</strong>
Note:
Please be mindful that providing passphrase is optional. If you give one, you'll be asked to enter the password every time when you try to SSH into a remote system unless you are using any SSH agent to store the password.
If you don't want passphrase (not safe though), simply press ENTER key twice when you are prompted to provide the passphrase. However, I recommend you to use a passphrase.
Using a password-less ssh key is generally not a good idea from a security point of view. They should be limited to very specific cases such as services having to access a remote system without the user intervention (e.g. remote backups with rsync, unison, …).
If you already have a ssh key without a passphrase in private file ~/.ssh/id_rsa and wanted to update key with passphrase, use the following command:
$ ssh-keygen -p -f ~/.ssh/id_rsa
Sample output:
Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase.
Step 2: Copy SSH Public Key to SSH Server (Remote System)
We have created the key pair in the local system. Next, copy the SSH public key to your remote SSH server using command:
$ ssh-copy-id ostechnix@192.168.1.20
Here, I will be copying the local (Debian 11 Desktop) system's public key to the remote system (Debian 12 Server in my case).
Technically speaking, the above command will copy the contents of local system's ~/.ssh/id_rsa.pub key into remote system's ~/.ssh/authorized_keys file. Clear? Good.
Type yes to continue connecting to your remote SSH server and then enter the sudo (or root user's) password of the remote system.
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys ostechnix@192.168.1.20's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'ostechnix@192.168.1.20'" and check to make sure that only the key(s) you wanted were added.
If you have already copied the key, but want to update the key with new passphrase, use -f option to overwrite the existing key like below.
$ ssh-copy-id -f ostechnix@192.168.1.20
We have successfully added the local system's SSH public key to the remote system.
We can now completely disable the password-based authentication in the remote system. Because, we already configured key-based authentication, so we don't need password-base authentication anymore.
Step 3: Disable SSH Password-based Authentication in Remote SSH Server
You need to perform the following commands as root or sudo user.
To disable password-based authentication, go to your remote system's console andedit /etc/ssh/sshd_config configuration file using any editor:
$ sudo nano /etc/ssh/sshd_config
Find the following line. Uncomment it and set it's value as no.
PasswordAuthentication no
Restart sshd service to take effect the changes.
$ sudo systemctl restart sshd
Step 4: Test SSH Key-based Authentication
To verify if you've correctly configured the key-based authentication, you need to access the remote system from the local system via SSH.
Go to your local system and SSH into your remote server using command:
$ ssh ostechnix@192.168.1.20
You will be prompted to enter the passphrase to login to the remote ssh system. Type the password for the key and hit ENTER key.
If you try to access the remote system from a CLI-only system, you will see the following output:
<strong>Enter passphrase for key '/home/sk/.ssh/id_rsa':</strong> Last login: Thu Sep 7 14:12:11 2023 from 192.168.1.101 ostechnix@debian12:~$
As you noticed, we have logged-in to the remote system's account using passphrase which we created earlier using ssh-keygen command, not using the remote user account's actual password.
If you try to ssh from another client system, you will get this error message. Say for example, I tried to SSH into my Debian 12 server from one of a Ubuntu system using command:
$ ssh sk@192.168.1.20
Sample output:
The authenticity of host '192.168.1.20 (192.168.1.20)' can't be established. ECDSA key fingerprint is 67:fc:69:b7:d4:4d:fd:6e:38:44:a8:2f:08:ed:f4:21. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.20' (ECDSA) to the list of known hosts. <strong>Permission denied (publickey)</strong>.
As you see in the above output, I can not SSH into my remote SSH server from other systems.
Step 5: Adding New Client System's Keys to SSH Server
This is very important. Like I said already, you can't access the remote system via SSH, except the one you configured (in our case, it's Debian 11 Desktop).
I want to give permissions to more clients to access the remote SSH server. What should I do? Simple. You need to generate the SSH key pair in all your client systems and copy the ssh public key manually to the remote server that you want to access via SSH.
To create SSH key pair on your client systems, run:
$ ssh-keygen
Enter the passphrase twice. After the key pair is generated, copy the public ssh key (not private key) to your remote server manually.
Display the pub key using command:
$ cat ~/.ssh/id_rsa.pub
You should see an output something like below.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt3a9tIeK5rPx9p74/KjEVXa6/OODyRp0QLS/sLp8W6iTxFL+UgALZlupVNgFjvRR5luJ9dLHWwc+d4umavAWz708e6Na9ftEPQtC28rTFsHwmyLKvLkzcGkC5+A0NdbiDZLaK3K3wgq1jzYYKT5k+IaNS6vtrx5LDObcPNPEBDt4vTixQ7GZHrDUUk5586IKeFfwMCWguHveTN7ykmo2EyL2rV7TmYq+eY2ZqqcsoK0fzXMK7iifGXVmuqTkAmZLGZK8a3bPb6VZd7KFum3Ezbu4BXZGp7FVhnOMgau2kYeOH/ItKPzpCAn+dg3NAAziCCxnII9b4nSSGz3mMY4Y7 ostechnix@pvedebian
Copy the entire contents (via USB drive or any medium) and go to your remote server's console. Create a directory called ssh in the home directory as shown below.
$ mkdir -p ~/.ssh
Next, append the your client system's pub key that you generated in the previous step in a file called "~/.ssh/authorized_keys":
$ echo {Your_public_key_contents_here} >> ~/.ssh/authorized_keys
Restart ssh service on the remote system. Now, you'll be able to SSH to your server from the new client.
If manually adding ssh pubkey seems difficult, enable password-based authentication temporarily in the remote system and copy the key using "ssh-copy-id" command from your local system and finally disable the password-based authentication.
Frequently Asked Questions
Here is a list of most commonly asked questions and their answers (FAQ) about SSH Key-based authentication.
Q: What is SSH key-based authentication?A: SSH key-based authentication is a secure method for logging into remote systems or servers over a network. Instead of using a password, it relies on a pair of cryptographic keys – a public key and a private key – to verify your identity.
Q: How does SSH key-based authentication work?A: SSH key-based authentication works by generating a unique pair of keys. The public key is placed on the remote server, while the private key remains securely stored on your local machine. When you connect to the server, it checks whether your private key matches the public key stored on the server. If they match, you gain access without needing a password.
Q: What are the advantages of SSH key-based authentication?A: Here is a list of important features.- Enhanced Security: SSH keys are significantly harder to crack than passwords, making it a more secure authentication method.- Convenience: Once set up, you can log in without entering a password every time.- Automation: SSH keys are commonly used for automated processes, like server-to-server communication or script execution, without user intervention.- Reduced Password Exposure: Since you don't enter passwords, there's no risk of password interception during login.
Q: How do I create SSH keys?A: You can generate SSH keys using the ssh-keygen command on your local machine. It will create a pair of keys – one public and one private. You'll usually find them in your user's .ssh directory.
Q: Can I use the same SSH key pair on multiple servers?A: Yes, you can use the same SSH key pair to access multiple servers. However, it's considered more secure to have a unique key pair for each server.
Q: How do I configure SSH key-based authentication on a remote server?A: You typically append your public key to the ~/.ssh/authorized_keys file on the remote server. This allows the server to recognize your public key when you attempt to connect with your private key.
Q: What happens if I lose my private key?A: If you lose your private key, you won't be able to use it for authentication. You can generate a new key pair and update your authorized keys on the servers you need to access.
Q: Is SSH key-based authentication compatible with all operating systems and SSH clients?A: Yes, SSH key-based authentication is widely supported and can be used with various operating systems (Linux, macOS, Windows with tools like PuTTY) and SSH clients.
Q: Can SSH keys be password-protected?A: Yes, you can add an additional layer of security by password-protecting your private key. This requires entering a password each time you use the private key.
Q: Is SSH key-based authentication suitable for all use cases?A: While SSH key-based authentication is highly secure and convenient, it may not be suitable for all use cases. For example, it might be less practical for scenarios involving a large number of users or temporary access.
Related Read:
- How To Setup Multi-Factor Authentication For SSH In Linux
- Find If A User Is Using Password-based Or Key-based SSH Authentication
- How To Prevent SSH Brute Force Attacks Using Fail2ban In Linux
- SSLH – Share A Same Port For HTTPS And SSH
- ScanSSH – Fast SSH Server And Open Proxy Scanner
Conclusion
SSH Key-based authentication provides an extra layer protection for your Linux servers from brute-force attacks. As you can see, configuring key-based authentication is not that difficult. Using key-based authentication is one of the recommended method to keep your Linux server safe and secure.
以上がLinuxでSSHキーベースの認証を構成する方法の詳細内容です。詳細については、PHP 中国語 Web サイトの他の関連記事を参照してください。
LinuxとWindowsのセキュリティモデルを比較対照します。Apr 24, 2025 am 12:03 AMLinuxとWindowsのセキュリティモデルには、それぞれ独自の利点があります。 Linuxは、柔軟性とカスタマイズ可能性を提供し、ユーザーの権限、ファイルシステム許可、Selinux/Apparmorを通じてセキュリティを可能にします。 Windowsはユーザーフレンドリーに焦点を当てており、WindowsDefender、UAC、Firewall、BitLockerに依存してセキュリティを確保しています。
ハードウェアの互換性は、LinuxとWindowsの間でどのように異なりますか?Apr 23, 2025 am 12:15 AMLinuxとWindowsはハードウェアの互換性が異なります。Windowsには広範なドライバーサポートがあり、Linuxはコミュニティとベンダーに依存します。 Linux互換性の問題を解決するために、RTL818888EUドライバーリポジトリのクローニング、コンパイル、インストールなど、ドライバーを手動でコンパイルできます。 Windowsユーザーは、パフォーマンスを最適化するためにドライバーを管理する必要があります。
LinuxとWindowsの間の仮想化サポートの違いは何ですか?Apr 22, 2025 pm 06:09 PM仮想化サポートのLinuxとWindowsの主な違いは次のとおりです。1)LinuxはKVMとXenを提供し、優れたパフォーマンスと柔軟性を備えており、高いカスタマイズ環境に適しています。 2)Windowsは、友好的なインターフェイスを備えたHyper-Vを介した仮想化をサポートし、Microsoftソフトウェアに依存する企業に適したMicrosoft Ecosystemと密接に統合されています。
Linuxシステム管理者の主なタスクは何ですか?Apr 19, 2025 am 12:23 AMLinuxシステム管理者の主なタスクには、システムの監視とパフォーマンスチューニング、ユーザー管理、ソフトウェアパッケージ管理、セキュリティ管理とバックアップ、トラブルシューティングと解像度、パフォーマンスの最適化、ベストプラクティスが含まれます。 1. TOP、HTOP、その他のツールを使用して、システムのパフォーマンスを監視し、チューニングします。 2。ユーザーADDコマンドおよびその他のコマンドを介して、ユーザーアカウントとアクセス許可を管理します。 3. APTとYUMを使用してソフトウェアパッケージを管理し、システムの更新とセキュリティを確保します。 4.ファイアウォールを構成し、ログを監視し、データバックアップを実行して、システムセキュリティを確保します。 5.ログ分析とツールの使用を通じてトラブルシューティングと解決。 6.カーネルパラメーターとアプリケーションの構成を最適化し、ベストプラクティスに従ってシステムのパフォーマンスと安定性を向上させます。
Linuxを学ぶのは難しいですか?Apr 18, 2025 am 12:23 AMLinuxの学習は難しくありません。 1.Linuxは、UNIXに基づいたオープンソースオペレーティングシステムであり、サーバー、組み込みシステム、およびパーソナルコンピューターで広く使用されています。 2。ファイルシステムと許可管理を理解することが重要です。ファイルシステムは階層的であり、許可には読み取り、書き込み、実行が含まれます。 3。APTやDNFなどのパッケージ管理システムは、ソフトウェア管理を便利にします。 4。プロセス管理は、PSおよびTOPコマンドを通じて実装されます。 5. MKDIR、CD、Touch、Nanoなどの基本的なコマンドから学習を開始し、シェルスクリプトやテキスト処理などの高度な使用法を試してください。 6.許可問題などの一般的なエラーは、SudoとChmodを通じて解決できます。 7.パフォーマンスの最適化の提案には、HTOPを使用してリソースを監視すること、不要なファイルのクリーニング、SYの使用が含まれます
Linux管理者の給与はいくらですか?Apr 17, 2025 am 12:24 AMLinux管理者の平均年salは、米国で75,000〜95,000ドル、ヨーロッパでは40,000〜60,000ユーロです。給与を増やすには、次のことができます。1。クラウドコンピューティングやコンテナテクノロジーなどの新しいテクノロジーを継続的に学習します。 2。プロジェクトの経験を蓄積し、ポートフォリオを確立します。 3.プロフェッショナルネットワークを確立し、ネットワークを拡大します。
Linuxの主な目的は何ですか?Apr 16, 2025 am 12:19 AMLinuxの主な用途には、1。Serverオペレーティングシステム、2。EmbeddedSystem、3。Desktopオペレーティングシステム、4。開発およびテスト環境。 Linuxはこれらの分野で優れており、安定性、セキュリティ、効率的な開発ツールを提供します。
インターネットはLinuxで実行されますか?Apr 14, 2025 am 12:03 AMインターネットは単一のオペレーティングシステムに依存していませんが、Linuxはその上で重要な役割を果たしています。 Linuxは、サーバーやネットワークデバイスで広く使用されており、安定性、セキュリティ、スケーラビリティに人気があります。
ホットAIツール
Undresser.AI Undress
リアルなヌード写真を作成する AI 搭載アプリ
AI Clothes Remover
写真から衣服を削除するオンライン AI ツール。
Undress AI Tool
脱衣画像を無料で
Clothoff.io
AI衣類リムーバー
Video Face Swap
完全無料の AI 顔交換ツールを使用して、あらゆるビデオの顔を簡単に交換できます。
人気の記事
ホットツール
ドリームウィーバー CS6
ビジュアル Web 開発ツール
WebStorm Mac版
便利なJavaScript開発ツール
ZendStudio 13.5.1 Mac
強力な PHP 統合開発環境
SecLists
SecLists は、セキュリティ テスターの究極の相棒です。これは、セキュリティ評価中に頻繁に使用されるさまざまな種類のリストを 1 か所にまとめたものです。 SecLists は、セキュリティ テスターが必要とする可能性のあるすべてのリストを便利に提供することで、セキュリティ テストをより効率的かつ生産的にするのに役立ちます。リストの種類には、ユーザー名、パスワード、URL、ファジング ペイロード、機密データ パターン、Web シェルなどが含まれます。テスターはこのリポジトリを新しいテスト マシンにプルするだけで、必要なあらゆる種類のリストにアクセスできるようになります。
SublimeText3 Mac版
神レベルのコード編集ソフト(SublimeText3)
