Set up public and private key
In this article we will tell you how you can set up the SSH-Login on a Linux Server by means of Public and Private Key.
By default, the Linux Server get set up with a SSH-Login with username and password. To ensure more security, you can use an authentication method with key -pairs. In comparison to username/password authentication this method has several advantages:
- Fully automatic login (no need for passphrases
- Since a key -pair is being used for the Login, getting hacked by a Brute-Force Attack becomes impossible. However, the Passphrase login method must be deactivated.
- You can create a private key for every user and activate it on the Server.
Step 1: Generating a key -pair
The required key -pair can be easily generated in the Shell with a simple command:
Without any further specifications this will generate a key -pair using the RSA algorithm with a length of 2048 bit.
- rsa The RSA encryption method is a widely used encryption method, because it's very safe. It is one of the asymmetrical encryption methods. The keys have a length of 2048 or even better 4096 bits.
With the option -t you can define which algorithm is to be used and with -b define the length of the key.
ssh-keygen –t rsa –b 4096
ssh-keygen –t dsa
ssh-keygen –t ecdsa –b 521
ssh-keygen –t ed25519
Step 2: Creating the Key and the Passphrase
There are few questions that you need to answer after the command has been entered.
Enter file in which to save the key (/root/.ssh/id_rsa):
Press enter if the file shouldn’t be changed.
Enter passphrase (empty for no passphrase) :
Enter same passphrase again :
Decide whether you want to use a passphrase or not. When using a passphrase, the security provided by the key will increase. If the key should fall into the wrong hands one would still need the passphrase. The drawback is that the key -pair must be entered every time the key -pair is used.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
The key has been generated and has been saved in the defined file.
Step 3: Removing the Private key from the server
The private key has been saved in .ssh/id_rsa. We recommend you remove this file from the server and back it up in a safe place.
Step 4: Depositing the Public key for the Login
To make a Login with a Private key possible you will have to deposit the Public key in your home-directory in the sub-directory “.ssh” into the file “authorized_keys”. That way you can deposit multiple public keys into this file to enable Logins for multiple users.
The public key can be found in the directory /root/.ssh/ in the file id_rsa.pup.
The file must be renamed.
# mv id_rsa.pup authorized_keys
Now the permissions must be edited.
# chmod 0700 ~/.ssh –R
Step 5 Test the Login
Test the login with the private key. If it doesn’t work, then an error has occurred during the installation. Do you need assistance? Then please contact our Support.
Step 6: Deactivating the password login
After a successful ssh login with the key you can increase security by removing the SSH login with username/password.
Open the SSH-config-file
# sudo nano /etc/ssh(sshd_config)
Look for the line with PasswordAuthentification yes and change it to PasswordAuthentification no, to disable username/password logins.
To activate these changes, enter the command:
# restart ssh
Login with PuTTY
In the SSH client "PuTTY", a private key can be selected before attempting to connect.
To do so choose your private key in "Connection", "SSH", "Auth". After that you can make the connection as usual. If you have secured your key with a passphrase you will have to enter it each time the connection is established.
Generate key on local computer for the server
The key pair can be generated on a local Linux computer as well. The procedure is the same as described above. However, in this case, the key must be copied and activated on the server. Step 3 can be skipped. You can instead copy the key on the server