Secure your SSH server with Public/Private key authentification — page 2

1 minute read

2. Adding the public key to the authorized key

In the first place, we need to upload the key to the remote machine:

[email protected]:~$ scp ~/.ssh/id_rsa.pub [email protected]:~/

Now, the public key is uploaded, let’s add it to the authorized keys. To do so, we are going to connect to remotehost as remoteuser and add the key at the end of file ~/.ssh/authorized_keys and delete it once added:

$ ssh [email protected]
[email protected]'s password:
[email protected]:~$ cat id_rsa.pub >> ~/.ssh/authorized_keys
[email protected]:~$ rm id_rsa.pub
[email protected]:~$ exit

Now, we need to configure the remote SSH server to accept authentication by key pair. This is usually enabled by default. If not, the next section will cover how to activate key based authentication.

3. Activating key based authentication on the server

To do so, we need to connect as root on the remote machine. This can be achieved either by connecting to root directly:

$ ssh [email protected]

or by connecting to the remote machine with a normal user:

$ ssh [email protected]

and the either (usually for Ubuntu boxes):

[email protected]:~$ sudo su -

or (Debian boxes)

[email protected]:~$ su -

depending on your default settings.

Now open and edit /etc/ssh/sshd_config and make sure you have the following line:

RSAAuthentication yes
PubkeyAuthentication yes

Then reload your configuration:

/etc/init.d/ssh reload

Okay, now you should be able to connect to [email protected] without supplying a password (but the passphrase of you private key if you supplied any) by simply typing the following:

[email protected]:~$ ssh [email protected]
[email protected]:~$

Or, if your private key file is not the standard ~/.ssh/id_rsa, you can inform ssh by using the -i switch as follow:

[email protected]:~$ ssh -i /path/to/private/key [email protected]

Once you are sure that you can log into the remote host using your private key, we can safely disable the username/password authentication.