Instead of logging in to SSH using a traditional password, you can also authenticate yourself without a password using a technique called public key authentication. This has more advantages than you would expect: as well as being convenient and more secure, you could use it to allow applications on your computer to access a remote system without knowing anything about the authentication, and mount SSH filesystems without being prompted.
How does public key cryptography work? Two keys are generated on the client computer: the public key and the private key. What makes the two keys special is that a message encrypted with one can only be decrypted with the other.
You give your public key to the server, which stores it in a list. Your private key stays hidden. When you attempt to log in, the server encrypts a message with your public key and sends it to you. Only your matching private key can decrypt the message. Your computer proves to the server that it has successfully decrypted the message. The server then logs you in.
Public key authentication for SSH has many security advantages: a password is never transmitted in any form over the network, the key needed to decrypt the server’s message is much harder to guess compared to a password because it is much longer, and the server does not need to store your private key to know you have it.
Got all that? Now that you understand how it works, let’s set up public key authentication on Ubuntu or another Debian-based distribution.
First, you need to generate the key pair on the client system unless you already have. You can find if you have a key pair by checking for for these two files:
(your private key)
(your public key)
If you don’t have them (you will be warned if you do), generate a new key pair on your local computer (run this as your normal user):
ssh-keygen -t rsa
You will be asked two questions. Press enter to accept the default location for the keys. Then you will be asked for a passphrase. If you choose to use a passphrase, then you will be required to enter it whenever you use the private key. If you are doing this for extra security, you will want one. If you want convenience, leave it blank.
Now you are ready to tell the server your public key. There is a utility that
does this for you called
ssh-copy-id. You’ll need to specify the user, host,
and any other details that are needed to log in via SSH.
ssh-copy-id -i ~/.ssh/id_rsa.pub username@remotehost
Once the SSH server has the key, you should be able to log in without your password! If it didn’t work, you may need to make a configuration change.
SSH in to the server, and open the SSH server configuration file:
sudo nano /etc/ssh/sshd_config
If the server didn’t let you in using your key, find the
line and change it to
If you’re sure that the key is working, you can turn off password authentication
now. Just don’t lock yourself out! Find the
PasswordAuthentication line and
change it to
Restart the SSH server on the remote system to make your changes take effect:
sudo /etc/init.d/ssh restart
Enjoy the convenience and security!