Setting Up SSH Key-Based Login

❮ Android Tutorial Git Repo Operate Verilog Defparam ❯

Setting Up SSH Key-Based Login

Category Programming Technology

We typically use SSH clients like PuTTY to remotely manage Linux servers. However, logging in with a password can be vulnerable to brute force attacks. Therefore, we often change the SSH port from the default 22 or disable root login. A better way to ensure security and allow root login remotely is by using key-based authentication.

The principle of key-based login involves using a key generator to create a pair of keys—a public key and a private key. The public key is added to a server account, and authentication is completed on the client side using the private key. This way, without the private key, no one can brute force their way into your system via SSH. Additionally, if the public key is copied to other accounts or hosts, the private key can also be used to log in.

Here’s how to create a key pair on a Linux server, add the public key to an account, configure SSH, and finally log in via a client.

1. Create a Key Pair

First, create a key pair on the server. Log in with a password to the account you plan to use for key-based login, and then execute the following command:

[root@host ~]$ ssh-keygen  <== Create a key pair
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): <== Press Enter
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): <== Enter a key passphrase, or press Enter to leave it empty
Enter same passphrase again: <== Enter the passphrase again
Your identification has been saved in /root/.ssh/id_rsa. <== Private key
Your public key has been saved in /root/.ssh/id_rsa.pub. <== Public key
The key fingerprint is:
0f:d3:e7:1a:1c:bd:5c:03:f1:19:f1:22:df:9b:cc:08 root@host

The key passphrase must be entered when using the private key, protecting it from unauthorized use. Alternatively, you can leave it empty for passwordless login.

Now, a hidden directory named .ssh has been created in the root user's home directory, containing two key files. id_rsa is the private key, and id_rsa.pub is the public key.

2. Install the Public Key on the Server

Enter the following commands to install the public key on the server:

[root@host ~]$ cd .ssh
[root@host .ssh]$ cat id_rsa.pub >> authorized_keys

This completes the installation of the public key. Ensure the following file permissions are correct for successful connection:

[root@host .ssh]$ chmod 600 authorized_keys
[root@host .ssh]$ chmod 700 ~/.ssh

3. Configure SSH to Enable Key-Based Login

Edit the /etc/ssh/sshd_config file and set the following:

RSAAuthentication yes
PubkeyAuthentication yes

Also, check if the root user can log in via SSH:

PermitRootLogin yes

After completing all settings and successfully logging in with the key, disable password login:

PasswordAuthentication no

Finally, restart the SSH service:

[root@host .ssh]$ service sshd restart

4. Download the Private Key to the Client and Convert it for PuTTY

Use tools like WinSCP or SFTP to download the private key file id_rsa to the client machine. Then open PuTTYGen, click the Load button under Actions, and load the private key file you just downloaded. If you set a key passphrase, you will need to enter it now.

After successful loading, PuTTYGen will display key information. Enter a comment for the key in Key comment, then click Save private key to save the file in a format usable by PuTTY.

For future logins with PuTTY, select your private key file at Connection -> SSH -> Auth -> Private key file for authentication, and you can log in, entering the key passphrase if necessary.

** Click to Share Notes

Cancel

❮ Android Tutorial Git Repo Operate Verilog Defparam ❯