SSH Key-Based Authentication

Let’s take a look at how to set up SSH key-based authentication on Linux. The process is similar when setting up a source Windows machine (recent Windows with SSH) and a destination Linux server.

Step 1: Generate the SSH Key

First, let’s generate an SSH key from the source machine. Open a terminal and enter the following command:

ssh-keygen

After running the command, you will see output similar to the following:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/emlin/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/emlin/.ssh/id_rsa
Your public key has been saved in /home/emlin/.ssh/id_rsa.pub
The key fingerprint is...

In this example, I chose to leave the password blank and saved to the default /home/emlin/.ssh/... path by simply pressing enter.

(Note: If you use a password on the key, it will prompt for a password every time the key is used to authenticate. This might cause issues with scripting. Also note that without a password on the key, anyone with access to the key can use it to authenticate to the Server.)

Step 2: Copy the Public Key

Next, let’s copy the public key from the source machine to the server. There are two ways to do this: using ssh-copy-id or manually copying the key.

Option 1: Using ssh-copy-id

Use the following command, replacing <user> with the desired user you want to authenticate as, and <ip/hostname> with the server’s IP address or hostname:

ssh-copy-id <user>@<ip/hostname>

When you run the command, you will see output similar to the following. When prompted, type “yes” and press enter:

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/emlin/.ssh/id_rsa.pub"
The authenticity of host '<ip/hostname> (<ip/hostname>)' can't be established.
ED25519 key fingerprint is SHA256:...
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Enter the password for the destination user when prompted:

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
<user>@<ip/hostname>'s password: 

You should see the following upon successful completion:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '<user>@<ip/hostname>'"
and check to make sure that only the key(s) you wanted were added.

Option 2: Manually Copying the Key

If ssh-copy-id is not available, you can manually copy the key using the following steps:

Display the public key on the source machine:

cat ~/.ssh/id_rsa.pub

This will output the public key, which looks something like this:

ssh-rsa XXXXXXX... user@host

Connect to the destination server using SSH:

ssh <user>@<ip/hostname>

Create the .ssh directory (if it doesn’t exist) and set proper permissions:

mkdir -p ~/.ssh
chmod 700 ~/.ssh

Append the public key to the authorized_keys file:

echo "<PASTE_PUBLIC_KEY_HERE>" >> ~/.ssh/authorized_keys

Alternatively, you can use nano or vim to edit the file:

vim ~/.ssh/authorized_keys

Then paste the key inside the file and save it.

Set the correct permissions:

chmod 600 ~/.ssh/authorized_keys

Step 3: Testing

To verify that the setup is working correctly, you can now use the following command on the source machine to log in to the destination server using the SSH key we just set up:

ssh <user>@<ip/hostname>