Configuring SSH login keys can make logging into remote servers running easier and more secure. No more entering username and password every time you want to open a new SSH session! We’re going to review how to setup SSH login keys to allow an encrypted keypair to authenticate a user on a laptop or desktop to connect to (or any computer running linux) using SSH. Let’s dive in!
The first task is to create users on both devices, let’s imagine in this scenario someone wants to login to a server from their laptop. The user on the laptop will be laptop_user and the user on the server will be server_user. Imaginative, right?
To prepare the server environment, login to the server and issue the commands:
$ sudo useradd --home /home/laptop_user laptop_user $ sudo passwd laptop_user [Enter the Password] $ sudo mkdir /home/laptop_user/.ssh $ touch /home/laptop_user/.ssh/authorized_keys $ chmod -R 600 /home/laptop_user/.ssh $ sudo chown -R laptop_user:laptop_user /home/laptop_user/.ssh
This will have made sure the username you want to use is created, the user has a home directory, we know the user’s password, the correct directory structure is created and that directory structure has the correct ownership and permissions set.
Now the big question is: Are you using a Windows laptop or a Linux laptop? The process is, of course, different on each system. I’ll cover Linux systems first, so if you want to skip right down to the Windows laptop instructions that’s fine.
SSH Login Keys using a Linux laptop
Quick Tip: These instructions also work on a linux server, which is nice if you login to them often — or if you are thinking of doing automation and aren’t exactly excited about the idea of leaving credentials in a plaintext script.
Now we have to prepare the laptop:
$ sudo useradd --home /home/laptop_user laptop_user $ sudo passwd laptop_user $ sudo mkdir /home/laptop_user/.ssh $ chmod -R 600 /home/laptop_user/.ssh $ sudo chown laptop_user:laptop_user /home/laptop_user/.ssh
Just like on the server, this will have made sure the user exists, the password is good, and the directory structure and permissions are good.
Now, for this next part on the laptop you can either login as laptop_user or perform the steps as root. I’ll show them performed as laptop_user because that is probably the most common scenario, but if you’re doing them as root the only difference is that at the end you would need to use chown to change the file ownership over to laptop_user just like the last command above did for the ‘.ssh’ directory. The following command will generate a public/private RSA keypair to use for the SSH authentication process.
$ ssh-keygen -t rsa -b 2048 -f /home/laptop_user/.ssh/server_auth_rsa
The ssh-keygen program will prompt for a password, this will password-protect your private key file. Choose a strong password.
Now that we have our RSA keypair, we need to copy the public key to the server. We can accomplish this using Secure Copy (SCP), which copies files using SSH:
$ scp /home/laptop_user/.ssh/server_auth_rsa.pub laptop_user@:/home/laptop_user/.ssh/
On the server, you copy the contents of the public key into the authorized_keys file:
$ cat /home/laptop_user/.ssh/server_th_rsa.pub >> /home/laptop_user/.ssh/authorized_keys
Now that the public key is on the server and the public/private key pair is on the laptop, all that is left is to launch an ssh connection using the private key for authentication:
$ ssh -i /home/laptop_user/.ssh/server_auth_rsa laptop_user@
That’s it! The connection should open without prompting for any username or password!
SSH Login Keys using a Windows laptop
The first thing on the Windows laptop agenda is to download PuTTY and PuTTYgen. PuTTY is our SSH terminal shell program and PuTTYgen is our program to generate the encryption keys necessary to make this work. Go ahead and install PuTTY and it should install PuTTYgen along with it.
Start PuTTYgen, it should come up to a screen that has a button in the middle that says Generate and some options at the bottom. Make sure RSA is selected at the bottom and the text box says 2048, then click the Generate button. Move the mouse around a bunch until the progress bar finishes. There should be a chunk of text that is highlighted in blue inside the text box labeled “Public key for pasting into OpenSSH authorized_keys file”. Copy it. Click the “Save public key” button and select a location on your hard drive. Enter a passphrase in both the Key passphrase and Confirm Key passphrase text boxes and click “Save private key”, choose a location on your hard drive. Leave the PuTTYgen window open.
Start PuTTY. Enter the hostname or IP of the server and press Enter, then login with your username and password. Append the public key to the authorized_keys file using the following command:
$ vi ~/.ssh/authorized_keys
After the vi text editor starts, go to the last line, press o and right-click the mouse to paste in the text from the PuTTYgen window you copied earlier. to save and quit type: :wq
Confirm the file contains the entry using: $ cat ~/.ssh/authorized_keys
Open a new PuTTY Window and enter the hostname or IP of the server, then expand SSH on the left and click Auth. Click Browse and select the private key file.
Now PuTTY will launch without asking for a password!