2 Simple Steps to Set Up SSH Public Key Authentication on CentOS

Last Updated: January 22nd, 2021 Guoan Xiao (Admin)
1 Comment
Redhat

This tutorial explains how to set up SSH public key authentication on a CentOS/RHEL desktop. There’re basically two ways of authenticating user login with OpenSSH server: password authentication and public key authentication. The latter is also known as passwordless SSH login because you don’t need to enter your password.

Step 1: Generate SSH Public/Private Key Pair on CentOS/RHEL Desktop

On your CentOS/RHEL desktop (not your server), enter the following command in a terminal window.

ssh-keygen -t rsa -b 4096

Where:

  • -t stands for type. The above command generates an RSA type keypair. RSA is the default type.
  • -b stands for bits. By default, the key is 3072 bits long. We use a 4096 bits key for stronger security.

When asked which file to save the key, you can simply press Enter to use the default file. Next, enter a good passphrase at least 20 characters long. The passphrase is used to encrypt the private key.

  • The private key (Don’t share it with anyone) will be saved in the .ssh/id_rsa file under your home directory.
  • The public key will be saved in the .ssh/id_rsa.pub file.

centos ssh public key

From the randomart image we can see the length of the key (RSA 4096). Now run the following command.

file ~/.ssh/id_rsa

You should see the following output:

/home/username/.ssh/id_rsa: OpenSSH private key

If you see the “No such file or directory” error, that means the SSH keypair isn’t created. Run the ssh-keygen -t rsa -b 4096 command to create it again.

Step 2: Upload Your SSH Public Key to Remote Linux Server

Hint: The remote server can run any Linux distro: Debian, Ubuntu, RHEL, CentOS, whatever, as long as it runs OpenSSH server, you can use the following method.

This can be easily done with ssh-copy-id command, which is shipped with the openssh-clients package.

ssh-copy-id remote-user@server-ip

Enter the remote user’s password.

centos ssh key

The public key will be stored in the .ssh/authorized_keys file under the remote user’s home directory. Now SSH into the remote server.

ssh remote-user@server-ip

This time you need to enter your RSA key passphrase to unlock the private key. You can select automatic unlocking the key when logging in so you don’t have to enter the passphrase in the future.

generate ssh public key centos

Once you entered the correct key passphrase, you are logged into remote Linux server. Now exit from the remote server.

exit

And SSH into the remote server again:

ssh remote-user@server-ip

This time you are automatically logged into the remote server, although you didn’t type password or key passphrase. Also you don’t have to type password or key passphrase when using the scp command to transfer file. The scp command is shipped by the openssh-clients package, which is installed by default on CentOS/RHEL desktop.

Enforce SSH Public Key Authentication on the Remote Server

Although the SSH key is now used by default to log into your server, you can still use your password to log into the server on another computer. You don’t want hackers to launch brute force attacks against your server, so it’s a good practice to disable password authentication in OpenSSH server.

To disable password authentication, edit /etc/ssh/sshd_config file on the remote server.

sudo nano /etc/ssh/sshd_config

Find this line:

#PasswordAuthentication yes

Change it to:

PasswordAuthentication no

Then find the ChallengeResponseAuthentication line. Make sure it’s value is set to no like below. If it’s set to yes, you can still use password to login.

ChallengeResponseAuthentication no

Save the file and restart SSH service.

sudo systemctl restart sshd

Now if you don’t have the corresponding private key in ~/.ssh directory, you will see the following error when you try to SSH into your remote server.

Permission denied (publickey).

That means the remote server only allow SSH login using ssh keys and do not allow password authentication. Note that if you set PasswordAuthentication to no and ChallengeResponseAuthentication to yes, then you can still login using password. To disable password login, both of them must be set to no.

Backing up Your Public/Private Keypair

Once you disable SSH password authentication, it is very important to back up your SSH keys. If you lose the keys you will be locked out of your server. Back up your public/private keypair to a safe location such as your USB drive.

cp ~/.ssh/id_rsa* /path/to/safe/location/

You can copy the key pair to a new Linux computer and SSH into your server using SSH keys. Once you copied the key pair to a new computer, move them to the .ssh/ directory of the new user.

mv id_rsa* ~/.ssh/

You need to change the owner of the key pair to the user on the new computer.

sudo chown new-user:new-user ~/.ssh/id_rsa*

Now you can use SSH keys to log into remote server on the new computer.

You can also store your key pair in a folder, then compress the folder with encryption and send it to cloud storage like NextCloud.

Allow Password Authentication From Trusted IP Addresses

You may want to allow password authentication from your own IP addresses, so if the SSH key gets lost, you can still log into your server via SSH.

Hint: If you don’t have a static IP address, you can set up a self-hosted VPN server in a data center.

Open the SSH daemon config file on the remote server.

sudo nano /etc/ssh/sshd_config

Add the following lines at the bottom of the file. Replace 10.0.0.2 with your own IP address.

Match Address 10.0.0.2
   PasswordAuthentication yes

If the client is connecting from 192.168.0.2, then password authentication is allowed. You can add multiple IP addresses.

Match Address 10.0.0.2 10.0.0.3
   PasswordAuthentication yes

Or use CIDR notation like so:

Match Address 10.0.0.0/24
   PasswordAuthentication yes

Save and close the file. Restart OpenSSH server.

sudo systemctl restart sshd

Changing Private Key Passphrase

If you ever need to change your private key passphrase, you can do so with this command:

ssh-keygen -f ~/.ssh/id_rsa -p

Enter your old passphrase and then enter a new passphrase.

Wrapping Up

I hope this tutorial helped you to set up SSH public key authentication on a CentOS/RHEL desktop. You may also want to read:

As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 2 Average: 5]

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here

linux system security course LPIC 2

Featured Tutorials

pCloud 65% Off Cloud Storage

pcloud 2TB lifetime

VPS Hosting 30 Days Free Trial

Kamatera 30 days free trial