SSH/SFTP Authentication with SSH Private Key

in #ssh5 years ago (edited)

ue8vrw.png

Create SSH Key Pair

Using Password to Login to SSH Server is a lot less secure and it also allows others to brute force it.
This is why it's recommended to use Private/Public Key Authentication method instead.

Since this method uses SSH Private/Public key, you have to generate it first. After you run ssh-keygen it will ask you for a password which would be used for private key encryption.

No provided password - unencrypted private key

I would strongly recommend to enter it, since the key is stored in File System, it's easily accessible to copy for anyone who have access to your computer.

Reveal spoiler

!! Never send your SSH Private Key to anyone or save in the public place.

Copy SSH Public Key to the Server

Let's say you have a server with domain name server.com and user account with name user. Copy your public key to the server.

scp ~/.ssh/id_rsa.pub [email protected]:/tmp/id_rsa.pub

Next example commands will use -p arguments to show you what it is needed if your server has Custom SSH Port, for example 2048. Use argument -p with port number -p 2048 after scp or ssh commands. If your server uses default SSH Ports - delete that argument and port number from command.

scp -p 2048 ~/.ssh/id_rsa.pub [email protected]:/tmp/id_rsa.pub

Login to the Server

ssh -p 2048 user@server

Append Authorized Keys list file with a newly uploaded Key

cat /tmp/id_rsa.pub >> ~/.ssh/authorized_keys

Test Authentication

Try to login to the Server with a same command. It should then ask you for a key decryption passphrase instead of the normal password (only if you entered it during key generation process).
ssh -p 2048 user@server

Disable password Authentication (Optional)

Be very carefull when disabling password Authentication method, since you have to be sure you will connect successfully with SSH Key. Also, users who use password authentication on that server will not be able to login anymore.

Edit /etc/ssh/sshd_config file and make sure that PasswordAuthentication parameter is set to no.

Restart SSH Server after changing parameter:
service ssh restart