How to Setup SSH Key Based Authentication with Ubuntu Server

Learn how to setup SSH key based authentication with an Ubuntu server. We will also go over why SSH key authentication is more secure than password authentication, how to disable password authentication, and managing keys with SSH agents.

Table of Contents 📖

• SSH Key vs Passwords
• Generating SSH Keys
• Copy the Public Key to the Server
• Configuring Server SSH Configuration
• Adding Private Key to SSH Agent on Local Computer
• Testing the Connection

SSH Key vs Passwords

Both SSH keys and passwords have their pros and cons, but the cons of passwords are more severe than those of SSH keys. For example, passwords are succeptible to brute force attacks, are often repeated among different applications, and are not as long and complex as SSH keys. Some cons of SSH keys are that they don't have an expiration date and sit on disk. However, they can be password protected and rotated. Furthermore, passwords are sent to the server while the private SSH key remains on the local computer.

Generating SSH Keys

SSH keys use public key cryptography, aka asymmetric cryptography, which uses two keys: a public and private key. The private key is kept secret on the local computer while the public key is out on the server. Therefore, to get SSH key authentication to work, we need to generate a public and private key pair. We can do that with the ssh-keygen command.

ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/Users/<YOUR_USER>/.ssh/id_ed25519): <YOUR_FILE_NAME>
Enter passphrase (empty for no passphrase): <YOUR_PASSPHRASE>
Enter same passphrase again: <YOUR_PASSPHRASE>
Your identification has been saved in <YOUR_PASSPHRASE>
Your public key has been saved in <YOUR_PASSPHRASE>.pub
The key fingerprint is:
<YOUR_FINGERPRINT> <YOUR_PC>
The key's randomart image is:
<YOUR__IMAGE>

• ssh-keygen - Tool for creating SSH keys.
• -t - Specifies the algorithm to generate the keys. Here, ed25519 is used.

INFO: ed25519 is a relatively new algorithm that is faster than existing digital signature algorithms without sacrificing security.

Running this command will ask us for a place to store the keys. A common place is inside the ~/.ssh directory. We can also provide a passphrase to protect the private key. If the command is successful, it will create a public and private key within the specified directory. The public key will have a .pub extension. Now we need to copy the public key to the server.

Copy the Public Key to the Server

To copy the public key to the server we can use the ssh-copy-id command. This command will use the SSH protocol to connect to the remote server and upload the public key.

ssh-copy-id -i <PATH_TO_PUBLIC_KEY> user@host
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "<YOUR_PUBLIC_KEY_PATH>"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user@4host's password: 

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh 'user@host'"
and check to make sure that only the key(s) you wanted were added.

INFO: Remember to only copy the public key to the server!

Specifically, this command logs into the server host, copies the keys to the server, and adds the key to the ~/.ssh/authorized_keys file.

cat ~/.ssh/authorized_keys 
<YOUR_PUBLIC_KEY>

The authorized_keys file specifies the SSH keys that can be used for logging into the user account on the server.

Configuring Server SSH Configuration

Now we need to edit the SSH configuration of the server to allow public key authentication. We can do this by opening the SSH configuration file located at /etc/ssh/sshd_config.

PubkeyAuthentication yes
AuthorizedKeysFile ~/.ssh/authorized_keys

INFO: The OpenSSH server process, sshd, reads configuration data from /etc/ssh/sshd_config.

Note that these options will most likely be there, simply commented out. We can also disable password authentication by setting PasswordAuthentication to no.

PasswordAuthentication no

Now simply restart the SSH service.

sudo service ssh restart

Adding Private Key to SSH Agent on Local Computer

Next we need to add the private key to our SSH agent back on our local computer using the ssh-add command.

ssh-add ~/.ssh/<YOUR_PRIVATE_KEY>
Enter passphrase for /Users/<YOUR_USER>/.ssh/<YOUR_PRIVATE_KEY>: 
Identity added: /Users/<YOUR_USER>/.ssh/<YOUR_PRIVATE_KEY> (<YOUR_COMPUTER>)

The ssh-add command adds private key identities from the ~/.ssh directory to the authentication agent ssh-agent. An SSH agent is a key manager for SSH that holds keys in memory for SSH. We can list the fingerprints for all identities used by the agent with the following command.

ssh-add -l
<IDENTITIES>

Testing the Connection

Now when we log into the server we shouldn't need to provide any password.

ssh user@host

If we have password authentication disabled, attempting to login with a password will provide an error like the following.

ssh user@host                                          
user@host: Permission denied (publickey).