~/blog/creating-ssh-public-private-key-authentication-on-linux-ubuntu-18-10
Published on

Creating Public and Private Key Authentication for SSH Server on Linux Ubuntu 18.10

book3 minutes read

Continuing from my previous post on Configuring SSH Server, when installing OpenSSH, a public and private key pair is automatically created. OpenSSH generates these key pairs for various encryption types, including RSA1, RSA, and DSA. These key pairs are stored in the /etc/ssh directory. OpenSSH provides a tool for creating public and private key pairs called ssh-keygen.

Step 1: Creating Public and Private Key Pairs

Run the following command on the client side:

$ ssh-keygen

By default, ssh-keygen generates a 2048-bit RSA key. Then, you'll be prompted with several dialogs like the following:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/haidar/.ssh/id_rsa):

By default, the keys generated will be stored in the user's directory who created the keys. For example, as shown above, the public key is stored at /home/haidar/.ssh/id_rsa.pub, and the private key is stored at /home/haidar/.ssh/id_rsa.

Then, a dialog will appear asking for a passphrase for the key

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

Actually, filling in the passphrase in the dialog above is not mandatory, but to enhance key security, it is better if it's filled in.

If successful, a code like the following should appear:

Your identification has been saved in /home/haidar/.ssh/id_rsa.
Your public key has been saved in /home/haidar/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:DQ6gLSLza19lbuMDXI3hL1u5DEPz4yH804alWGAbUjU haidar@haidar
The key's randomart image is:
+---[RSA 2048]----+
|    .    .E      |
|   o .  o  .     |
|+ o . .o.+       |
|.+ .  .oXo.      |
|  .  . *SB..     |
|   .  o+B O .    |
|  o   ..+& O     |
| . . . o+.O o    |
|    .   .. o     |
+----[SHA256]-----+

Step 2: Add the Public Key to the SSH Server

Next, copy the id_rsa.pub file to the user's remote home directory with the filename authorized_keys in the ~/.ssh/authorized_keys directory.

Run the following command:

$ ssh-copy-id username@remote_host -p 222

I used the -p 222 option because the SSH port is not using the default port, which is port 22.

Then, a dialog like the following will appear:

The authenticity of host '[192.168.1.2]:222 ([192.168.1.2]:222)' can't be established.
ECDSA key fingerprint is SHA256:f1mu+dGO4R4hxtvFzbIOHhOhnuZNI2xqrzdrhty0nyA.
Are you sure you want to continue connecting (yes/no)? yes

After successfully logging in, you should see something like this:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -p '222' '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

Now you can log in using the private key you just created.

Step 3: Disable Password Authentication

Once you've successfully logged in using public and private key authentication, we can modify a few directives in the /etc/sshd_config file to enhance the security of the SSH server.

Run the following command:

$ sudo nano /etc/sshd_config

Change the following directive values:

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no

Save the changes and exit… don't forget to restart the SSH server.

$ sudo service ssh restart

That's it, see ya~