How to use ssh keys for authentication on the Server

Post by Ivan Dabić
Subscribe to our blog articles!
August 1, 2020 | 4 minutes read

Secure SHell or SSH as we know it is used to establish a secure communication channel between client and server. Read more about the protocol itself here. In this article, we’ll be showing how to use SSH keys for authentication on the server. We will also disable password authentication on the server.

Set up ssh keys

So, the goal is to have the ssh key to use for authentication and then to kill the password authentication method:

  • Install the OpenSSH on the local machine
[root@bluegrid-edu ~]# apt-get install openssh-server
[root@bluegrid-edu ~]# yum –y install openssh-server openssh-clients
[root@bluegrid-edu ~]# dnf install openssh-server
  • Generate the ssh key on the local machine
[root@bluegrid-edu ~]# ssh-keygen -t rsa -b 2048 -C [email protected]

Fthe following is step by step to complete the process of generating the ssh keys:

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): edu.bluegrid.io
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in edu.bluegrid.io.
Your public key has been saved in edu.bluegrid.io.pub.
The key fingerprint is:
SHA256:Nm0QyQmB768/1t1O5O6Eli39xIwWUzJ6dCsNpIz6xOA [email protected]
The key's randomart image is:
+---[RSA 2048]----+
|     .o+.o   .   |
|    .   +.o o    |
|     . ... o .+ o|
|      o +o   oo=.|
|     . ESoo ..=o |
|      ..oo   O.* |
|       . o .=.O +|
|        + ...*.o |
|      .+..   o+ .|
+----[SHA256]-----+
  • Log in to the remote server and create a directory where the public key will be stored
[root@bluegrid-edu ~]# mkdir -p ~/.ssh
  • Restrict access to yourself only:
[root@bluegrid-edu ~]# chmod 700 ~/.ssh
  • Now copy the public key from the locally generated ssh key pair and upload it to the server:
Ivans-MacBook-Pro-3:~ ivan$ ssh-copy-id -i edu.bluegrid.io.pub root@server

Below is the process initiated after above command:

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "edu.bluegrid.io.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh 'root@server'"
and check to make sure that only the key(s) you wanted were added.

Ivans-MacBook-Pro-3:~ ivan$ ssh 'root@server'
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Sat Aug  1 13:42:53 2020 from 87.116.167.150

NOTE: Make sure to note that the “server” should be replaced with IP address or the domain of the server you want to set up SSH authentication for.

Set up ssh keys for a non-root user

It is not mandatory but, it is recommended due to the security reasons to kill the root login. Create a new user on the server so we can kill the root login too:

  • Create a user:
[root@bluegrid-edu ~]# useradd -m -s /bin/bash edu-user
  • Set a password for newly created user:
[root@bluegrid-edu ~]# passwd edu-user
  • Add newly created user to sudo group:
[root@bluegrid-edu ~]# usermod -aG sudo edu-user
[root@bluegrid-edu ~]# usermod -aG wheel edu-user
  • Make sure the newly created user is added to the sudo group:
[root@bluegrid-edu ~]# su - edu-user
[edu-user@bluegrid-edu ~]$ id edu-user
uid=1001(edu-user) gid=1001(edu-user) groups=1001(edu-user),10(wheel)

Looks good!

  • Now on a local machine we need to generate new ssh key. Like we did with root user, now we are repeating the process for the newly created “edu-user”:
Ivans-MacBook-Pro-3:~ ivan$ ssh-keygen -t rsa -b 2048 -C [email protected]
Ivans-MacBook-Pro-3:~ ivan$ ssh-copy-id -i edu.bluegrid.io.pub edu-user@server
  • Now let’s disable the password login on the server-side. Open /etc/ssh/sshd_config and set the following directives to have the value “no”:
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
PermitRootLogin no
  • Restart ssh service:
[root@bluegrid-edu ~]# systemctl restart sshd

To make sure everything is in order, test the login in the other terminal tab and keep the current one open:

Ivans-MacBook-Pro-3:~ ivan$ ssh edu-user@server -i edu.bluegrid.io

Voila!

NOTE: sometimes if the permissions on the ssh keys are too open you might get an error like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for '/tmp/edu.bluegrid.io' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/tmp/edu.bluegrid.io": bad permissions

You can fix this by running this command:

Ivans-MacBook-Pro-3:~ ivan$ chmod 400 edu.bluegrid.io*
Share this post

Share this link via

Or copy link