Revision of Public Key Authentication for SSH Made Easy from Wed, 02/20/2008 - 19:01

Public Key AuthenticationInstead of logging in to SSH using a traditional password, you can also authenticate yourself without a password using a technique called public key authentication. This has more advantages than you would expect: as well as being convenient and more secure, you could use it to allow applications on your computer to access a remote system without knowing anything about the authentication, and mount SSH filesystems without being prompted.

How does public key cryptography work? Two keys are generated on the client computer: the public key and the private key. What makes the two keys special is that a message encrypted with one can only be decrypted with the other.

You give your public key to the server, which stores it in a list. Your private key stays hidden. When you attempt to log in, the server encrypts a message with your public key and sends it to you. Only your matching private key can decrypt the message. Your computer proves to the server that it has successfully decrypted the message. The server then logs you in.

Public key authentication for SSH has many security advantages: a password is never transmitted in any form over the network, the key needed to decrypt the server’s message is much harder to guess compared to a password because it is much longer, and the server does not need to store your private key to know you have it.

Got all that? Now that you understand how it works, let’s set up public key authentication on Ubuntu or another Debian-based distribution.

First, you need to generate the key pair on the client system unless you already have. You can find if you have a key pair by checking for for these two files:
~/.ssh/id_rsa (your private key)
~/.ssh/id_rsa.pub (your public key)

If you don’t have them (you will be warned if you do), generate a new key pair on your local computer (run this as your normal user):
ssh-keygen -t rsa

You will be asked two questions. Press enter to accept the default location for the keys. Then you will be asked for a passphrase. If you choose to use a passphrase, then you will be required to enter it whenever you use the private key. If you are doing this for extra security, you will want one. If you want convenience, leave it blank.

Now you are ready to tell the server your public key. There is a utility that does this for you called ssh-copy-id. You’ll need to specify the user, host, and any other details that are needed to log in via SSH.
ssh-copy-id -i ~/.ssh/id_rsa.pub username@remotehost

Once the SSH server has the key, you should be able to log in without your password! If it didn’t work, you may need to make a configuration change.

SSH in to the server, and open the SSH server configuration file:
sudo nano /etc/ssh/sshd_config

If the server didn’t let you in using your key, find the PubkeyAuthentication line and change it to yes.

If you’re sure that the key is working, you can turn off password authentication now. Just don’t lock yourself out! Find the PasswordAuthentication line and change it to no.

Restart the SSH server on the remote system to make your changes take effect:
sudo /etc/init.d/ssh restart

Enjoy the convenience and security!