Home   Profile   Fun
#152 Linux  07.01.2008

Replace SSH login with public key authentication


To use SSH public key authentication is more secure and convenient than the normal login with user name and password. This article explains how to set up public key authentication and how to disable normal login. The principle is to use a key pair, a public key on the server and a secret private key on the client machine. Instead of using user name and password the user authenticates himself with the private key.

The first step is to generate this key pair. You will be asked for a passphrase to protect the private key. The following command will create a key pair (wwwkey_rsa, wwwkey_rsa.pub) in .ssh in the users home directory. 
ssh-keygen -t rsa -f ~/.ssh/wwwkey_rsa

The public key must be copied to the server in a secure way, scp for example.
scp wwwkey_rsa.pub user1@servername:/home/user1

Now it's time to do some configuration on the server. First we copy the content of the public key into the file /home/user1/.ssh/authorized_keys. If .ssh/ or authorized_keys don't exist we create them. 
cd /home/user1
mkdir .ssh
touch .ssh/authorized_keys
cat ./wwwkey_rsa.pub > .ssh/authorized_keys
rm ./wwwkey_rsa.pub

SSH must be configured so that it uses public key authentication and does not allow normal logins.
vi /etc/ssh/sshd_config
Make sure that the following lines are present.
PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
UsePAM no

Then restart the SSH daemon to activate the new settings.
/etc/init.d/sshd restart

To make sure everything works as expected we first test that the normal login is disabled.
ssh user1@servername
Permission denied (publickey,keyboard-interactive).

Ok, so login with user name and password is no longer possible. Next we try to login with the private key. 
ssh -i .ssh/wwwkey_rsa user1@servername
You will be asked for the passphrase of the private key. And as soon as you have entered it you find yourself in a ssh session on the server.


To make it a bit more convenient you can use ssh-agent to cache the private key. The result is that you don't have to reenter the password of the private key for every login. 
eval `ssh-agent`
It must be started with eval so that the output of ssh-agent is evaluated. Otherwise ssh-agent just prints some environment variables and their values to stdout. So with eval these variables are set and exported, not just printed.

Next we add the private key to the ssh-agent. The password is need one more time.
ssh-add .ssh/wwwkey_rsa

From now on the following command lets you log into the server without typing the password.
ssh user1@servername


Note that the private key is cached only during the current console session on the client machine. If you open another one or close the console you have to start ssh-agent and add the private key again. If you want ssh-agent to be started automatically add this line to ~/.bash_profile: 
eval `ssh-agent`