SSH Key-Based Authentication
Let’s take a look at how to set up SSH key-based authentication on Linux. The process is similar when setting up a source Windows machine (recent Windows with SSH) and a destination Linux server.
Step 1: Generate the SSH Key
First, let’s generate an SSH key from the source machine. Open a terminal and enter the following command:
ssh-keygen
After running the command, you will see output similar to the following:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/emlin/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/emlin/.ssh/id_rsa
Your public key has been saved in /home/emlin/.ssh/id_rsa.pub
The key fingerprint is...
In this example, I chose to leave the password blank and saved to the default /home/emlin/.ssh/...
path by simply pressing enter.
(Note: If you use a password on the key, it will prompt for a password every time the key is used to authenticate. This might cause issues with scripting. Also note that without a password on the key, anyone with access to the key can use it to authenticate to the Server.)
Step 2: Copy the Public Key
Next, let’s copy the public key from the source machine to the server. There are two ways to do this: using ssh-copy-id
or manually copying the key.
Option 1: Using ssh-copy-id
Use the following command, replacing <user>
with the desired user you want to authenticate as, and <ip/hostname>
with the server’s IP address or hostname:
ssh-copy-id <user>@<ip/hostname>
When you run the command, you will see output similar to the following. When prompted, type “yes” and press enter:
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/emlin/.ssh/id_rsa.pub"
The authenticity of host '<ip/hostname> (<ip/hostname>)' can't be established.
ED25519 key fingerprint is SHA256:...
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Enter the password for the destination user when prompted:
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
<user>@<ip/hostname>'s password:
You should see the following upon successful completion:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '<user>@<ip/hostname>'"
and check to make sure that only the key(s) you wanted were added.
Option 2: Manually Copying the Key
If ssh-copy-id
is not available, you can manually copy the key using the following steps:
Display the public key on the source machine:
cat ~/.ssh/id_rsa.pub
This will output the public key, which looks something like this:
ssh-rsa XXXXXXX... user@host
Connect to the destination server using SSH:
ssh <user>@<ip/hostname>
Create the .ssh
directory (if it doesn’t exist) and set proper permissions:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
Append the public key to the authorized_keys
file:
echo "<PASTE_PUBLIC_KEY_HERE>" >> ~/.ssh/authorized_keys
Alternatively, you can use nano
or vim
to edit the file:
vim ~/.ssh/authorized_keys
Then paste the key inside the file and save it.
Set the correct permissions:
chmod 600 ~/.ssh/authorized_keys
Step 3: Testing
To verify that the setup is working correctly, you can now use the following command on the source machine to log in to the destination server using the SSH key we just set up:
ssh <user>@<ip/hostname>