Setting Up Key-Based Authentication for Secure Server Access.
Key-based authentication, also referred to as public key authentication, stands out as a highly secure approach to server access when compared to the conventional password-based method. In key-based authentication, cryptographic keys replace passwords for the authentication process. This involves logging in through a pair of cryptographic keys: a public key (known to the server) and a private key (known exclusively to you). The public key is stored on the server, while the private key is securely maintained on your local machine. This method adds an extra layer of security by leveraging a unique pair of keys for a more robust and reliable authentication mechanism.
Here is a step-by-step guide to set up key-based authentication on a server:
Method 1: Generate and Use SSH Keys on Windows and Linux Using default command and configuration:
Generate SSH Key Pair
For Linux based system:
Open a terminal on your local machine.
-
Use the following command to generate an SSH key pair:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
Replace "your_email@example.com" with your actual email address.
-
You will be prompted to enter the file path to save the key. Press Enter to accept the default.
Optionally, you can set a passphrase for an extra layer of security.
- This generated two keys, the SSH keys will be stored in
~/.ssh/
(default path). The Public key is stored in~/.ssh/id_rsa.pub
while the Private key is stored in~/.ssh/id_rsa
.The private key located at
~/.ssh/id_rsa
must not be shared publicly. Only the corresponding public key at~/.ssh/id_rsa.pub
should be used.
On your remote server,
-
Copy your public key to your remote server using the following command.
ssh-copy-id username@server_ip
Replace username and server_ip with your server's username and IP address. You will be prompted to enter your server password.
If ssh-copy-id is not available on your system, you can manually copy the public key: On your local machine, print out the public key and copy the contents:
cat ~/.ssh/id_rsa.pub
- And on your remote server, Paste the public key into the authorized keys file:
vi ~/.ssh/authorized_keys
- after pasting the key, save and exit.
For Windows based System:
This is for Windows based machine connecting to a Linux server.
Open PowerShell as an administrator.
-
Use the following command to generate an SSH key pair:
ssh-keygen -t rsa -b 4096
You can optionally provide a specific path and filename for the key.
-
You will be prompted to enter a file to save the key. Press Enter to accept the default Optionally, you can set a passphrase for an extra layer of security.
- The SSH key will be stored in
C:\Users\ADMIN/.ssh/id_rsa
The private key located at C:\Users\ADMIN/.ssh/id_rsa
must not be shared publicly. Only the corresponding public key at C:\Users\ADMIN/.ssh/id_rsa.pub
should be shared.
-
Copy your public key to the your server using the following command.
ssh-copy-id username@server_ip
Replace username and server_ip with your server's username and IP address. You will be prompted to enter your server password.
If ssh-copy-id is not available on your system, you can manually copy the public key:
cat C:\Users\ADMIN/.ssh/id_rsa.pub
- And on your remote server, Paste the public key into the authorized keys file:
vi ~/.ssh/authorized_keys
- after pasting the key, save and exit.
Verify Key-Based Authentication:
Try to SSH into your server without entering a password. If configured correctly, it should use the private key for authentication.
From your local Linux or Windows machine,
ssh username@server_ip
If successful, you should be logged in without entering a password.
Adjust SSH Configuration (On the Server)
-
On the remote Linux server, edit the SSH server configuration file:
vi /etc/ssh/sshd_config
-
Ensure the following settings are configured:
PubkeyAuthentication yes PasswordAuthentication no ChallengeResponseAuthentication no
Save the file and restart the SSH service:
- Ensure the .ssh directory and authorized_keys file have the correct permissions:
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
Method 2: Generate and Use SSH Keys on Windows Using PuTTYgen and PuTTY:
-
Download and Install PuTTY and PuTTYgen on your local machin from the follwoing URL:
https://www.putty.org/
Run the installer and follow the on-screen instructions to install PuTTY and PuTTYgen.
-
Open PuTTYgen from the Start menu and in PuTTYgen window, select the key type you prefer:
A widely used key type known for its security and compatibility:
- RSA: Suitable for most users and provides a good balance between security and compatibility.
Set the number of bits in the generated key (2048 or 4096 is recommended for security).
- RSA: Suitable for most users and provides a good balance between security and compatibility.
- ECDSA: A newer key type that offers stronger security with shorter key lengths, but may have compatibility issues with some older systems. Choose the key size (256, 384, or 521 bits).
-
Click the Generate button to create a new key pair.
Move your mouse around in the blank area to generate randomness for the key generation
- Once the key is generated, you will see the public key in the PuTTYgen window.
- Save the private key by clicking the Save private key button. Choose a secure location to save the .ppk file
- Save the public key by clicking the Save public key button or copying the text in the *Public key for pasting into OpenSSH authorized_keys file" field and saving it to a .txt file or pasting it directly into the authorized_keys file on your remote server.
On your remote server,
- Connect to your server using an existing SSH method.
-
Navigate to the
.ssh
directory in your home folder (e.g., ~/.ssh/) - Edit or create the authorized_keys file in this directory.
vi ~/.ssh/authorized_keys
-
Paste the public key you copied from PuTTYgen into this file.
-
Save the file and exit the text editor.
- Ensure the permissions are correct:
chmod 600 ~/.ssh/authorized_keys chmod 700 ~/.ssh
By following these steps, you enhance the security of your server access by relying on key-based authentication instead of password-based authentication.
CrownCloud - Get a SSD powered KVM VPS at $4.5/month!
Use the code WELCOME
for 10% off!
1 GB RAM / 25 GB SSD / 1 CPU Core / 1 TB Bandwidth per month
Available Locations: LAX | MIA | ATL | FRA | AMS